CVE-2026-56261: Crawl4AI before 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without de
Crawl4AI before 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing to private or internal IP ranges, Docker networks, or cloud metadata endpoints (e.g. 169.254.169.254), causing the server to make requests to internal services and potentially expose cloud metadata.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-56261
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-56261 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for Crawl4AI
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- highCVE-2026-57573: Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, the Docker AP…nvd · 2026-07-06
- criticalCVE-2026-57572: Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, the Docker AP…nvd · 2026-07-06
- criticalCVE-2026-57571: Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, when the craw…nvd · 2026-07-06
- highCVE-2026-56264: Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker A…nvd · 2026-06-30
More from NVD Recent CVEs
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…2026-07-11
- unknownCVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that al…2026-07-11
- highCVE-2026-1359: The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized m…2026-07-11
- highCVE-2026-9282: The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up…2026-07-11
- mediumCVE-2026-9017: The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to autho…2026-07-11