CVE-2026-56265 PUBLISHED

Crawl4AI - Authentication Bypass via Hardcoded JWT Signing Key

Assigner: VulnCheck
Reserved: 20.06.2026 Published: 21.06.2026 Updated: 22.06.2026

Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected functionality.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor Crawl4AI
Product Crawl4AI
Versions Default: unaffected
  • affected from 0 to 0.8.7 (excl.)
  • Version 0.8.7 is unaffected

References

Problem Types

  • Use of Hard-coded Credentials CWE