๐Ÿ” CVE Alert

CVE-2026-57572

CRITICAL 10.0

Crawl4AI: Unauthenticated RCE via Chromium launch-argument injection in browser_config.extra_args

CVSS Score
10.0
EPSS Score
0.5%
EPSS Percentile
41th

Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, the Docker API server accepted request-supplied browser_config.extra_args, which flowed into Chromium's launch arguments. An attacker could inject Chromium switches that replace a child-process launch command together with --no-zygote, causing Chromium to fork or exec an attacker-controlled command as the container's runtime user. The Docker API is unauthenticated by default, so a single request yields arbitrary command execution. This issue is fixed in version 0.9.0.

CWE CWE-88 CWE-94
Vendor unclecode
Product crawl4ai
Published Jul 6, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for unclecode crawl4ai

Be the first to know when new critical vulnerabilities affecting unclecode crawl4ai are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

unclecode / crawl4ai
< 0.9.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/unclecode/crawl4ai/security/advisories/GHSA-r253-r9jw-qg44 github.com: https://github.com/unclecode/crawl4ai/commit/60886d1a0c52682e4c83a7cef9dfac417fff6bd2