CVE-2026-56261 PUBLISHED

Crawl4AI - Server-Side Request Forgery via Webhook URLs

Assigner: VulnCheck
Reserved: 19.06.2026 Published: 10.07.2026 Updated: 10.07.2026

Crawl4AI before 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing to private or internal IP ranges, Docker networks, or cloud metadata endpoints (e.g. 169.254.169.254), causing the server to make requests to internal services and potentially expose cloud metadata.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
CVSS Score: 9.2

Product Status

Vendor Crawl4AI
Product Crawl4AI
Versions Default: unaffected
  • affected from 0 to 0.8.7 (excl.)
  • Version 0.8.7 is unaffected

References

Problem Types

  • Server-Side Request Forgery (SSRF) CWE