How is CVE-2026-56266 exploited?

Network reachability (required): The vulnerable endpoints are exposed over the network, so an attacker must be able to send HTTP requests to the Crawl4AI service to exploit this vulnerability. Authentication (not-required): No credentials or session token are needed; the affected endpoints accept and process user-supplied URLs from unauthenticated requests. Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from any user or operator of the affected service. Attack complexity (info): The exploit is reliable and condition-free once the service is reachable; the only craft required is supplying an IPv6-mapped IPv4 address to bypass the internal-address blocklist, which is a well-documented technique with no race condition or environmental dependency.

What is the impact of CVE-2026-56266?

Attacker reads responses from internal services on the host network, including private APIs, databases, or microservices not intended to be externally reachable. Attacker retrieves cloud instance metadata (for example, AWS IMDSv1 credentials, GCP service account tokens), which can be used to escalate access to the broader cloud environment. Confidentiality of data held by internal services is directly exposed; there is no write or availability impact to the Crawl4AI instance itself, but downstream systems reached via SSRF may be further compromised using harvested credentials.

Back to search

CRITICALCVE-2026-56266Published 2026-06-22Modified 2026-06-22CNA VulnCheck

CVE-2026-56266: Crawl4AI - Server-Side Request Forgery via Direct Crawl Endpoints

Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4 addresses to reach internal services and cloud metadata endpoints.

CVSS v4.0: 9.2
Severity: CRITICAL
Fixed in: 0.8.7
Affected Products: 1

HarborGuard Analysis

Synopsis

Server-side request forgery (SSRF) affects Crawl4AI before version 0.8.7, present in the /crawl, /crawl/stream, /md, and /llm endpoints, which fetch arbitrary user-supplied URLs without validation. The vulnerability is reachable over the network with no authentication required, and attackers can bypass the internal-address blocklist by supplying IPv6-mapped IPv4 addresses to reach internal services and cloud metadata endpoints (such as the AWS instance metadata service). A patched-image rebuild at version 0.8.7 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-56266 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Crawl4AI. Coverage extends to any image layer where an affected version of the package is present.

Available

Triage

Triage is available with a CVSS v4.0 score of 9.2 (Critical), weighted further against each customer organization's per-environment compliance policies to determine urgency and routing. Findings are dispatched to the appropriate team inbox within the customer org based on workload ownership and policy configuration.

Available

Patch

A patched-image rebuild at Crawl4AI version 0.8.7 becomes available in HarborGuard the moment the fix version is confirmed against the upstream release. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoints are exposed over the network, so an attacker must be able to send HTTP requests to the Crawl4AI service to exploit this vulnerability.
AuthenticationNot required
No credentials or session token are needed; the affected endpoints accept and process user-supplied URLs from unauthenticated requests.
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user or operator of the affected service.
Attack complexityDetail
The exploit is reliable and condition-free once the service is reachable; the only craft required is supplying an IPv6-mapped IPv4 address to bypass the internal-address blocklist, which is a well-documented technique with no race condition or environmental dependency.

Blast Radius

Attacker reads responses from internal services on the host network, including private APIs, databases, or microservices not intended to be externally reachable.
Attacker retrieves cloud instance metadata (for example, AWS IMDSv1 credentials, GCP service account tokens), which can be used to escalate access to the broader cloud environment.
Confidentiality of data held by internal services is directly exposed; there is no write or availability impact to the Crawl4AI instance itself, but downstream systems reached via SSRF may be further compromised using harvested credentials.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-56266 is active for all images scanned against the HarborGuard feed, with a critical-severity (9.2) finding raised for any image containing Crawl4AI below version 0.8.7. A rebuilt image at the fixed version (0.8.7) is available for affected workloads. For customers who opt into auto-remediation, HarborGuard triggers a patched rebuild, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with the CVSS detail and exploit context pre-populated. Given the unauthenticated network-reachable nature of this SSRF and its ability to reach cloud metadata endpoints, upgrading to 0.8.7 promptly is the primary recommended action; as a compensating control before patching, network-policy rules restricting egress from the Crawl4AI container to known-safe external destinations will limit the blast radius.

See how HarborGuard automates this

Fix available

0.8.7

Affected packages

Crawl4AI / Crawl4AI
< 0.8.7 (from 0)
Fixed in 0.8.7

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available