How is CVE-2026-56258 exploited?

Network reachability (required): The vulnerable screenshot and PDF endpoints are exposed over the network, so an attacker must be able to reach the service remotely to supply a malicious output_path value. Authentication (not-required): No credentials or session token are needed; the endpoints accept unauthenticated requests, giving any network-reachable attacker direct access. Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from a user or administrator on the target system. Attack complexity (info): Exploitation is conditionally complex: the attacker must win a TOCTOU race and plant a symlink at the right moment, and the CVSS vector notes a specific prerequisite condition (AT:P), making reliable exploitation dependent on timing and local filesystem state.

What is the impact of CVE-2026-56258?

The attacker writes arbitrary file content to any path the runtime user can reach on the host filesystem, overwriting or creating files outside the intended output directory. On systems where the runtime user has write access to executable paths, cron directories, or init scripts, the attacker plants a malicious file that executes with the privileges of that runtime user. Confidentiality of existing files is compromised if the attacker overwrites configuration files, credential stores, or private keys by replacing them through the symlink chain. Availability of the affected service and dependent processes is disrupted if critical runtime files are corrupted or replaced with non-functional content.

Back to search

CRITICALCVE-2026-56258Published 2026-06-23Modified 2026-06-23CNA VulnCheck

CVE-2026-56258: Crawl4AI - Arbitrary File Write via output_path Symlink and TOCTOU

Crawl4AI before 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF endpoints that allows unauthenticated attackers to write files outside the intended directory via symlink and time-of-check-time-of-use (TOCTOU) attacks on the output_path parameter. Remote attackers can exploit insufficient path validation and symlink following to achieve arbitrary file write and potential code execution on systems where the runtime user has write access to executable or cron locations.

CVSS v4.0: 9.2
Severity: CRITICAL
Fixed in: 0.8.8
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary file write vulnerability exists in Crawl4AI before version 0.8.8, affecting the screenshot and PDF output endpoints. The flaw is reachable over the network with no authentication required: an attacker supplies a crafted output_path value, then exploits insufficient path validation combined with a symlink and a time-of-check-time-of-use (TOCTOU) race to write files outside the intended directory. Successful exploitation enables arbitrary file write on the host, and on systems where the runtime user has write access to executable or cron locations, this escalates to remote code execution. A patched-image rebuild at version 0.8.8 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-56258 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Crawl4AI. Images carrying any version of Crawl4AI below 0.8.8 are flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.2 (CVSS v4.0, Critical) and applies per-environment compliance policy weighting to determine urgency and escalation path. Triage findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at Crawl4AI 0.8.8 is available on HarborGuard for any image identified as running an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable screenshot and PDF endpoints are exposed over the network, so an attacker must be able to reach the service remotely to supply a malicious output_path value.
AuthenticationNot required
No credentials or session token are needed; the endpoints accept unauthenticated requests, giving any network-reachable attacker direct access.
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from a user or administrator on the target system.
Attack complexityDetail
Exploitation is conditionally complex: the attacker must win a TOCTOU race and plant a symlink at the right moment, and the CVSS vector notes a specific prerequisite condition (AT:P), making reliable exploitation dependent on timing and local filesystem state.

Blast Radius

The attacker writes arbitrary file content to any path the runtime user can reach on the host filesystem, overwriting or creating files outside the intended output directory.
On systems where the runtime user has write access to executable paths, cron directories, or init scripts, the attacker plants a malicious file that executes with the privileges of that runtime user.
Confidentiality of existing files is compromised if the attacker overwrites configuration files, credential stores, or private keys by replacing them through the symlink chain.
Availability of the affected service and dependent processes is disrupted if critical runtime files are corrupted or replaced with non-functional content.

How HarborGuard Handles This

Available on HarborGuard: detection against this CVE is active for all connected registries and pipelines the moment the advisory is ingested, covering both upstream base images and custom images that include Crawl4AI. For environments running any Crawl4AI version below 0.8.8, a rebuilt image at version 0.8.8 is available. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads; for Critical-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where auto-remediation is not enabled, the rebuilt image is staged and a triage alert is routed to the team inbox for manual review and promotion. Until patching is complete, consider applying network-policy controls to restrict access to the screenshot and PDF endpoints to trusted internal sources only, and review the runtime user's write permissions on executable and cron paths to limit the blast radius of any successful exploit.

See how HarborGuard automates this

Fix available

0.8.8

Affected packages

Crawl4AI / Crawl4AI
< 0.8.8 (from 0)
Fixed in 0.8.8

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available