CVE-2026-56261

Source
https://cve.org/CVERecord?id=CVE-2026-56261
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56261.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-56261
Aliases
Published
2026-07-10T13:57:52.897Z
Modified
2026-07-11T04:11:25.369616976Z
Severity
  • 9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
Summary
Crawl4AI - Server-Side Request Forgery via Webhook URLs
Details

Crawl4AI before 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing to private or internal IP ranges, Docker networks, or cloud metadata endpoints (e.g. 169.254.169.254), causing the server to make requests to internal services and potentially expose cloud metadata.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56261.json",
    "cwe_ids": [
        "CWE-918"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/unclecode/crawl4ai

Affected ranges

Type
GIT
Repo
https://github.com/unclecode/crawl4ai
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.8.7"
        }
    ]
}

Affected versions

0.*
0.3.4
docker-rebuild-v0.*
docker-rebuild-v0.8.6
v.*
v.3.72
v0.*
v0.0.75
v0.1.0
v0.2.0
v0.2.1
v0.2.4
v0.2.6
v0.2.7
v0.2.71
v0.2.72
v0.2.73
v0.2.74
v0.2.77
v0.3.0
v0.3.3
v0.3.6
v0.3.745
v0.4.24
v0.4.243
v0.5.0.post1
v0.6.3
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.8.6
vr0.*
vr0.6.0
vr0.6.0rc1
vr0.6.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56261.json"