CVE-2026-56266
HighCVSS 8.6Exploitation Probability (EPSS)
Low risk21th percentile - higher than 21% of all known CVEs
Summary
Crawl4AI before version 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4 addresses to reach internal services and cloud metadata endpoints.
Risk Assessment
The risk involves unauthorized access to internal network resources, such as internal services and cloud metadata endpoints, potentially leading to sensitive data leakage or further infrastructure compromise.
Recommendation
It is recommended to immediately upgrade Crawl4AI to version 0.8.7 or later and implement additional URL validation and network restrictions for SSRF-vulnerable endpoints.
Original NVD description (English source)
Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4 addresses to reach internal services and cloud metadata endpoints.

