CVE-2026-46497
Received Received - Intake
SSRF Vulnerability in Crawlee Library

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Crawlee is a web scraping and browser automation library. From version 1.0.0 to before version 1.7.0, Crawlee is vulnerable to SSRF via sitemap-derived URLs. This issue has been patched in version 1.7.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-46497
EUVD
EUVD-2026-36067
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apify crawlee to 1.7.0 (exc)
apify crawlee 1.7.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-46497 is a blind Server-Side Request Forgery (SSRF) vulnerability in the Crawlee Python library, affecting versions 1.0.0 to 1.6.3. It allows an attacker who controls sitemap or robots.txt files to manipulate the crawler into making HTTP requests to internal hosts or non-HTTP URLs by bypassing URL scheme validation.

The vulnerability has two layers: the first allows cross-host HTTP SSRF by enqueuing internal URLs from attacker-controlled sitemaps or robots.txt files; the second escalates to non-HTTP schemes (such as gopher, file, ftp) when using the CurlImpersonateHttpClient.

Exploitation requires the attacker to control the sitemap or robots.txt content, the crawler to fetch it, and network access to the target. The issue was fixed in version 1.7.0 by enforcing host-based filtering and stricter URL validation.

Impact Analysis

This vulnerability can allow an attacker to make the crawler send requests to internal services or non-HTTP resources that are normally inaccessible, potentially exposing sensitive internal network information.

Possible impacts include probing internal services, exploiting Redis servers via the gopher protocol, or accessing local files through the file protocol.

Because the SSRF is blind, the attacker may not see direct responses but can still infer information based on the crawler's behavior or side effects.

Detection Guidance

This vulnerability involves SSRF via sitemap-derived URLs in Crawlee versions 1.0.0 to 1.6.3, where an attacker can manipulate sitemap or robots.txt files to force HTTP requests to internal or non-HTTP URLs.

To detect exploitation attempts on your network or system, monitor HTTP requests initiated by Crawlee that target internal hosts or unusual URL schemes such as gopher://, file://, or ftp://.

You can use network monitoring tools or packet capture utilities (e.g., tcpdump, Wireshark) to filter outgoing requests from the Crawlee process.

  • Use tcpdump to capture HTTP requests from the Crawlee host: tcpdump -i <interface> 'tcp port 80 or tcp port 443'
  • Filter logs or network traffic for requests to internal IP ranges (e.g., 10.0.0.0/8, 192.168.0.0/16) or non-HTTP schemes.
  • Inspect Crawlee logs for URLs enqueued from sitemaps or robots.txt that point to internal or non-HTTP URLs.
Mitigation Strategies

The primary mitigation is to upgrade Crawlee to version 1.7.0 or later, where the vulnerability is patched.

Version 1.7.0 enforces host-based filtering and stricter URL validation at both sitemap loading and HTTP client levels, preventing SSRF via manipulated sitemaps or robots.txt.

If upgrading immediately is not possible, consider implementing network-level restrictions to block Crawlee from making requests to internal IP ranges or non-HTTP URL schemes.

Additionally, review and restrict the sources of sitemaps and robots.txt files that Crawlee processes to trusted domains only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46497. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart