PT-2026-53031 · Pypi · Crawl4Ai

Published

2026-06-16

·

Updated

2026-06-16

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Summary

The Docker API server let a request control where LLM calls were sent and which environment variable an LLM token resolved from. Both could be abused to exfiltrate server-held secrets. The Docker API is unauthenticated by default.

Vector 1 - attacker base url

/md, /llm, and /llm/job accepted a base url in the request and used it as the LLM endpoint while still attaching the server's configured provider API key. An attacker set base url to a server they control and received the provider key (and any provider keys the server holds) in the inbound request.

Vector 2 - arbitrary environment variable read via env:

LLMConfig(api token="env:NAME") resolved NAME from the server environment with os.getenv. Because request bodies were deserialized into LLMConfig (via a crawler config / extraction strategy), an attacker could set api token="env:SECRET KEY" (or env:REDIS PASSWORD, etc.) and, paired with an attacker base url, exfiltrate that secret. Reading the server's SECRET KEY enables forging authentication tokens.

Impact

Disclosure of LLM provider API keys and other server secrets to an attacker-controlled endpoint; reading the JWT SECRET KEY can lead to authentication bypass.

Fix

  • The LLM endpoints ignore a request-supplied base url; the endpoint is always derived server-side from the provider name. The field is still accepted but no longer honored (no breaking 4xx).
  • LLMConfig refuses env: resolution of protected environment-variable names (names containing SECRET/PASSWORD/PRIVATE, prefixes CRAWL4AI*/AWS SECRET*, and SECRET KEY/REDIS PASSWORD/TOKEN). Normal provider keys (e.g. OPENAI API KEY) are unaffected.

Workarounds

  • Upgrade to the patched version.
  • Enable authentication (CRAWL4AI API TOKEN).
  • Do not place sensitive secrets in the server environment alongside provider keys.

Credits

  • Geo (geo-chen) - reported the LLM credential exfiltration via request base url.
  • Internal security audit (Crawl4AI maintainers) - the env: arbitrary-variable read.

Fix

SSRF

Insufficiently Protected Credentials

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

GHSA-F989-C77F-R2CQ

Affected Products

Crawl4Ai