CVE-2026-56266
Received Received - Intake
Server-Side Request Forgery in Crawl4AI Prior to 0.8.7

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: VulnCheck

Description
Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4 addresses to reach internal services and cloud metadata endpoints.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-56266
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Crawl4AI versions before 0.8.7 have a server-side request forgery (SSRF) vulnerability in several endpoints (/crawl, /crawl/stream, /md, and /llm). These endpoints fetch URLs supplied by users without validating them properly.

This lack of validation allows unauthenticated attackers to bypass internal address blocklists by using IPv6-mapped IPv4 addresses, enabling them to access internal services and cloud metadata endpoints that should normally be protected.

Impact Analysis

This vulnerability can allow attackers to make unauthorized requests from the vulnerable server to internal systems or cloud metadata services.

Such access can lead to exposure of sensitive internal information, potential compromise of internal services, and unauthorized retrieval of cloud instance metadata, which may include credentials or configuration data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56266. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart