Crawl4AI RCE: Hook, Line, and Sinker
Vulnerability ID: CVE-2026-26216
CVSS Score: 10.0
Published: 2026-02-12
A Critical RCE in Crawl4AI's Docker API allows unauthenticated attackers to execute arbitrary Python code via the 'hooks' parameter. By leveraging an insecure implementation of 'exec()' and a failed attempt at sandboxing that left 'import' exposed, attackers can bypass restrictions and compromise the host container.
TL;DR
Unauthenticated Remote Code Execution in Crawl4AI Docker deployments. The application allows users to define custom Python 'hooks' for web scraping. The sandbox implementation failed to block the __import__ builtin, allowing attackers to escape the sandbox and execute system commands as the container user. Patch immediately to v0.8.0.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-94 (Improper Control of Generation of Code)
- CVSS v3.1: 10.0 (Critical)
- Attack Vector: Network (Unauthenticated)
- Impact: Remote Code Execution (RCE)
- EPSS Score: 0.20% (Rising)
- Exploit Status: Proof of Concept Available
Affected Systems
- Crawl4AI Docker API (versions < 0.8.0)
-
Crawl4AI: < 0.8.0 (Fixed in:
0.8.0)
Code Analysis
Commit: unknown
Due to the nature of the advisory, exact commit hash for the fix was not explicitly linked in the provided text, but release 0.8.0 contains the patch.
Unknown
Exploit Details
- Nuclei Templates: Nuclei template for detecting unauthenticated RCE in Crawl4AI
Mitigation Strategies
- Update to patched version
- Network Isolation
- Reverse Proxy Authentication
Remediation Steps:
- Identify all running instances of Crawl4AI Docker containers.
- Execute
docker pull unclecode/crawl4ai:latestto fetch version 0.8.0+. - Stop and remove the old containers.
- Start new containers using the updated image.
- Verify the instance is no longer susceptible by checking the version banner.
References
Read the full report for CVE-2026-26216 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)