CVE-2026-56265
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
Crawl4AI before version 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected functionality.
Risk Assessment
The risk for the organization includes unauthorized access to sensitive data and system functions, potentially leading to breaches of confidentiality, integrity, and service availability.
Recommendation
It is recommended to immediately update Crawl4AI to version 0.8.7 or later and change the default JWT key to a unique, strong key.
Original NVD description (English source)
Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected functionality.

