HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53753Published Modified CNA GitHub_M

CVE-2026-53753: Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API

Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.7, the _safe_eval_expression() function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes (gi_frame, f_back, f_builtins) do NOT start with underscore, enabling a complete sandbox escape to achieve arbitrary code execution. The attack requires no authentication (JWT disabled by default) and is triggered via POST /crawl with a crafted extraction schema. This vulnerability is fixed in 0.8.7.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A sandbox escape vulnerability in Crawl4AI's computed fields feature allows an unauthenticated attacker to break out of the AST (abstract syntax tree) expression evaluator and execute arbitrary code on the host. The flaw is reachable over the network with no credentials required, because JWT authentication is disabled by default, and is triggered by sending a crafted extraction schema to the POST /crawl endpoint. Successful exploitation gives the attacker full control over the container process, including the ability to read secrets, modify data, and disrupt the service. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the crawl4ai package. Any image carrying an affected version of crawl4ai (below 0.8.7) is flagged automatically in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.8 (Critical) and weighting that score against each customer org's compliance policy to surface the finding at the appropriate severity tier. Triage routing routes the alert to the inbox or ticketing integration configured for that environment, so the right team sees it without manual filtering.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fixed release of crawl4ai appears. In the meantime, customers with auto-remediation enabled can apply compensating controls such as network-policy rules that restrict inbound access to the Docker API endpoint, reducing the network-reachable attack surface while the upstream patch is pending.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable POST /crawl endpoint is exposed over the network, so an attacker must be able to reach the service's HTTP port to deliver a malicious extraction schema payload.

  • AuthenticationNot required

    JWT authentication is disabled by default in Crawl4AI, so no credentials or session token are needed to reach the vulnerable endpoint.

  • Victim interactionNot required

    The attacker triggers exploitation entirely by sending a crafted HTTP request; no user action, click, or social-engineering step is required.

  • Attack complexityDetail

    Attack complexity is low: the exploit is a straightforward HTTP POST with a malicious schema payload and requires no race conditions, special memory layout, or environmental timing.

Blast Radius

  • Reads any secret, credential, or file accessible to the container process, including environment variables holding API keys or database passwords.
  • Executes arbitrary commands on the container host, including writing or modifying files on mounted volumes or shared storage.
  • Crashes or permanently disrupts the crawl4ai service by killing the process or consuming all available resources.
  • Pivots to other services reachable from the compromised container, depending on the container network configuration.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against all images carrying crawl4ai below 0.8.7 within minutes of the advisory being ingested, covering both images pulled from public registries and custom-built images. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run and a PR opened against affected workloads the moment version 0.8.7 or later ships. While waiting for the upstream fix, customers can apply compensating controls: network policies that restrict inbound HTTP access to the crawl4ai Docker API port to trusted source CIDRs only, egress filtering to limit lateral movement from a compromised container, and, where the deployment model permits, disabling or gating the computed fields feature via a feature flag or deployment configuration to remove the vulnerable code path from the request surface entirely.

See how HarborGuard automates this
Affected packages
  • unclecode / crawl4ai
    < 0.8.7
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References