CVE-2026-56266
Analyzed Analyzed - Analysis Complete

Server-Side Request Forgery in Crawl4AI Prior to 0.8.7

Vulnerability report for CVE-2026-56266, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-30

Assigner: VulnCheck

Description

Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4 addresses to reach internal services and cloud metadata endpoints.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-30
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
kidocode crawl4ai to 0.8.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Crawl4AI versions before 0.8.7 have a server-side request forgery (SSRF) vulnerability in several endpoints (/crawl, /crawl/stream, /md, and /llm). These endpoints fetch URLs supplied by users without validating them properly.

This lack of validation allows unauthenticated attackers to bypass internal address blocklists by using IPv6-mapped IPv4 addresses, enabling them to access internal services and cloud metadata endpoints that should normally be protected.

Impact Analysis

This vulnerability can allow attackers to make unauthorized requests from the vulnerable server to internal systems or cloud metadata services.

Such access can lead to exposure of sensitive internal information, potential compromise of internal services, and unauthorized retrieval of cloud instance metadata, which may include credentials or configuration data.

Compliance Impact

The vulnerability allows unauthenticated attackers to bypass internal address blocklists and access internal services and cloud metadata endpoints, potentially exposing sensitive internal resources.

Such unauthorized access to internal systems and data could lead to breaches of confidentiality, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding sensitive information.

However, the provided information does not explicitly discuss the direct impact on compliance with these standards or any specific regulatory consequences.

Detection Guidance

The vulnerability involves server-side request forgery (SSRF) in the /crawl, /crawl/stream, /md, and /llm endpoints of Crawl4AI before version 0.8.7. Detection can focus on monitoring HTTP requests to these endpoints that include user-supplied URLs, especially those attempting to access internal services or cloud metadata endpoints via IPv6-mapped IPv4 addresses.

You can detect exploitation attempts by inspecting web server logs or network traffic for unusual requests to these endpoints with suspicious URL parameters.

Example commands to detect such activity might include:

  • Using grep on server logs to find requests to vulnerable endpoints: grep -E "/crawl|/crawl/stream|/md|/llm" /var/log/access.log
  • Searching for IPv6-mapped IPv4 addresses in logs that might bypass blocklists: grep -E "::ffff:" /var/log/access.log
  • Using network monitoring tools like tcpdump or Wireshark to capture HTTP requests to these endpoints and analyze the payload for suspicious URLs.
Mitigation Strategies

Immediate mitigation steps include upgrading Crawl4AI to version 0.8.7 or later, where the SSRF vulnerability has been fixed.

Until an upgrade is possible, restrict access to the vulnerable endpoints (/crawl, /crawl/stream, /md, /llm) by implementing network-level controls such as firewall rules or API gateway restrictions to block unauthenticated or external access.

Additionally, monitor and block requests containing IPv6-mapped IPv4 addresses (::ffff:) to prevent bypassing internal address blocklists.

Review and apply any available patches or configuration changes recommended by the vendor to validate and sanitize user-supplied URLs.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56266. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart