Unauthenticated SSRF in Crawl4AI: CVE-2026-56266 (CVSS 8.6/9.2) β Update to 0.8.7
Crawl4AI, a popular crawler for AI data collection, has a critical flaw in its Docker API server, exploitable without authentication (CVE-2026-56266). An attacker can make the server fetch cloud internal data and steal access keys. All versions before 0.8.7 are affected; 0.8.7 also fixes several flaws including a pre-auth RCE. Update now.
Makoto Horikawa
Backend Engineer / AWS / Django
Crawl4AI, a popular crawler for AI data collection, has a critical flaw in its Docker API server, exploitable without authentication (CVE-2026-56266). An attacker can make the server fetch cloud internal data and steal access keys. All versions before 0.8.7 are affected; 0.8.7 also fixes several flaws including a pre-auth RCE. Update now.
Crawl4AI, a popular open-source crawler (web-page collection tool) used to gather data for AI to learn from or reference, has a high-severity flaw. It is tracked as CVE-2026-56266, with a CVSS score of 8.6 (v3.1) and 9.2 (v4.0) β both top-tier severity. It was published with advisory GHSA-365w-hqf6-vxfg on June 22, 2026.
The bug type is "SSRF (Server-Side Request Forgery)": the server fetches whatever URL it is given, so an attacker can make it reach internal-network or cloud internal resources it could not access directly. The affected target is Crawl4AI's network-exposed "Docker API server," and exploitation requires no login. All versions before 0.8.7 are affected; the fix is 0.8.7.
| Software | Crawl4AI (Docker API server) |
| CVE | CVE-2026-56266 (GHSA-365w-hqf6-vxfg) |
| Severity | CVSS 8.6 (v3.1) / 9.2 (v4.0) |
| Type | SSRF (CWE-918) |
| Affected | all versions before 0.8.7 |
| Fixed in | 0.8.7 and later |
| Attack conditions | No login / over the network (when Docker API server is exposed) |
Who is at risk, and what is the damage
The targets are attackers who scan for Crawl4AI Docker API servers exposed to the internet and hit them without authentication. The classic dangerous setup is a server spun up quickly for AI development or data-collection testing that ends up reachable from outside.
Exploiting the fact that crawl target URLs are not validated, the attacker makes the server itself reach internal-network or cloud internal addresses. A prime target is the internal address a cloud VM uses to fetch its own configuration and credentials (cloud metadata, e.g. 169.254.169.254). Reaching it lets the attacker steal cloud access keys.
Once the cloud keys are taken, the damage does not stop at that one server. The attacker can use the keys to move into the whole cloud environment β exfiltrating or destroying stored data, hijacking other services, running up fraudulent charges β and can probe internal services on the network side. Crawl4AI is often embedded as an AI data-collection base, so the impact grows if it sits in a production pipeline. That is why the update and exposure review below are urgent.
One caveat: the risk is mainly in the "Docker API server" configuration exposed on a network. If you only call Crawl4AI as a library inside your own program, you are less likely to be directly affected. The starting point is confirming how you run Crawl4AI.
What is happening, technically
It is classified as CWE-918 (SSRF). The core is that endpoints such as /crawl and /llm fetch a given URL without sufficient validation. Even where there is a check to block access to internal addresses, an irregular notation like an "IPv6-mapped IPv4 address" can slip past it and reach internal services or cloud metadata, as reported.
The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N: over the network, low complexity, no privileges or user interaction, with impact spreading beyond the component and high confidentiality impact. The weight is on reading (theft) rather than direct modification or downtime β but since what gets stolen is cloud keys, the secondary damage can be severe.
0.8.7 fixed several related flaws at once
CVE-2026-56266 is not alone; it is one of a cluster of flaws found in Crawl4AI's Docker API server, all fixed in 0.8.7. The advisory covers file write, SSRF, authentication bypass, and script execution. Of particular note are a pre-authentication RCE (CVE-2026-53753) reported to allow code execution on the server without logging in, and another SSRF that bypasses the check (such as CVE-2026-53755 via proxy settings). In short, 0.8.7 is not a single patch but an update that raises the overall safety of the Docker API server, and it should be applied without fail.
Confirmed vs. still unknown
β Confirmed facts
- βCVE-2026-56266 is an unauthenticated SSRF that can reach internal and cloud metadata (NVD / Crawl4AI advisory)
- βAll versions before 0.8.7 are affected; fixed in 0.8.7. The target is the Docker API server configuration
- β0.8.7 also fixes several related flaws, including a pre-auth RCE
? Not yet confirmed
- ?Whether it has been exploited in the wild β not on CISA KEV at the time of writing
- ?Whether a public PoC exists β no reliable public information confirmed at the time of writing
What to do now
The top priority is to update Crawl4AI to 0.8.7 or later. If you run anything before 0.8.7, treat it as affected, test or production β and apply it urgently if you run the Docker API server.
If you cannot update right away, do not expose the Crawl4AI server directly to the internet β keep it behind the internal network or a VPN and restrict source addresses. If you run it in the cloud, reduce the blast radius of stolen credentials: require the token-based (latest) method for metadata access, and give the crawler the least privilege possible. To avoid missing flaws in OSS packages like Crawl4AI, keep a way to continuously check your OSS dependencies so you can move quickly on the next one.
Summary
CVE-2026-56266 is an SSRF in the Docker API server of the popular AI crawler Crawl4AI that lets an unauthenticated attacker turn the server into a springboard for internal probing β potentially stealing credentials via cloud metadata. CVSS is 8.6 (v3.1) / 9.2 (v4.0). All versions before 0.8.7 are affected, and 0.8.7 also fixes several critical flaws including a pre-auth RCE.
In AI development, data-collection tools are often spun up, exposed, and forgotten. Use this as a prompt to review the update and to know which servers are running and how exposed they are.