CVE-2026-53753
Undergoing Analysis Undergoing Analysis - In Progress
Code Execution in Crawl4AI via Sandbox Escape

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.7, the _safe_eval_expression() function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes (gi_frame, f_back, f_builtins) do NOT start with underscore, enabling a complete sandbox escape to achieve arbitrary code execution. The attack requires no authentication (JWT disabled by default) and is triggered via POST /crawl with a crafted extraction schema. This vulnerability is fixed in 0.8.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-53753
EUVD
EUVD-2026-38569
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
unclecode crawl4ai to 0.8.7 (exc)
unclecode crawl4ai 0.8.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53753 is a critical vulnerability in the crawl4ai Python package (versions up to 0.8.6) that allows unauthenticated remote code execution (RCE). The flaw exists in the _safe_eval_expression() function used for computed fields, which attempts to sandbox code by blocking attributes starting with underscores. However, Python generator and frame object attributes like gi_frame, f_back, and f_builtins do not start with underscores, allowing attackers to bypass this sandbox.

By exploiting these attributes, an attacker can access the real __import__ function through f_builtins, enabling arbitrary code execution within the Docker container running crawl4ai. The attack is triggered by sending a crafted POST request to the /crawl endpoint with a malicious extraction schema containing a computed field expression.

Impact Analysis

This vulnerability can have severe impacts including complete compromise of the affected system. An attacker can execute arbitrary system commands, read and write files, and exfiltrate sensitive information within the Docker container running crawl4ai.

Because the attack requires no authentication and has a low complexity, it poses a high risk of exploitation. The vulnerability affects confidentiality, integrity, and availability of the system, potentially leading to data breaches, system manipulation, and denial of service.

Detection Guidance

This vulnerability can be detected by monitoring for POST requests to the /crawl endpoint containing crafted extraction schemas with malicious computed field expressions.

You can check your Crawl4AI version to see if it is vulnerable by running a command to identify the installed package version.

  • Check the installed Crawl4AI version: `pip show crawl4ai` or `crawl4ai --version`
  • Monitor network traffic for suspicious POST requests to /crawl, for example using tcpdump or Wireshark filtering HTTP POST requests to /crawl.
  • Inspect logs for unusual computed field expressions or unexpected code execution attempts.
Mitigation Strategies

Immediate mitigation steps include upgrading Crawl4AI to version 0.8.7 or later, where the vulnerability is fixed.

Additionally, enable JWT authentication if it is currently disabled to prevent unauthenticated access.

Restrict network access to the Docker API to limit exposure to potential attackers.

Compliance Impact

This vulnerability allows unauthenticated remote code execution, enabling attackers to execute system commands, read/write files, and exfiltrate secrets within the Docker container.

Such unauthorized access and potential data exfiltration can severely impact the confidentiality, integrity, and availability of sensitive data, which are core requirements in compliance standards like GDPR and HIPAA.

Therefore, exploitation of this vulnerability could lead to violations of these regulations due to unauthorized data access and potential data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53753. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart