PT-2026-53031 · Pypi · Crawl4Ai
Published
2026-06-16
·
Updated
2026-06-16
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
Summary
The Docker API server let a request control where LLM calls were sent and which environment variable an LLM token resolved from. Both could be abused to exfiltrate server-held secrets. The Docker API is unauthenticated by default.
Vector 1 - attacker base url
/md, /llm, and /llm/job accepted a base url in the request and used it as the LLM endpoint while still attaching the server's configured provider API key. An attacker set base url to a server they control and received the provider key (and any provider keys the server holds) in the inbound request.Vector 2 - arbitrary environment variable read via env:
LLMConfig(api token="env:NAME") resolved NAME from the server environment with os.getenv. Because request bodies were deserialized into LLMConfig (via a crawler config / extraction strategy), an attacker could set api token="env:SECRET KEY" (or env:REDIS PASSWORD, etc.) and, paired with an attacker base url, exfiltrate that secret. Reading the server's SECRET KEY enables forging authentication tokens.Impact
Disclosure of LLM provider API keys and other server secrets to an attacker-controlled endpoint; reading the JWT
SECRET KEY can lead to authentication bypass.Fix
- The LLM endpoints ignore a request-supplied
base url; the endpoint is always derived server-side from the provider name. The field is still accepted but no longer honored (no breaking 4xx). LLMConfigrefusesenv:resolution of protected environment-variable names (names containing SECRET/PASSWORD/PRIVATE, prefixes CRAWL4AI*/AWS SECRET*, and SECRET KEY/REDIS PASSWORD/TOKEN). Normal provider keys (e.g. OPENAI API KEY) are unaffected.
Workarounds
- Upgrade to the patched version.
- Enable authentication (
CRAWL4AI API TOKEN). - Do not place sensitive secrets in the server environment alongside provider keys.
Credits
- Geo (geo-chen) - reported the LLM credential exfiltration via request base url.
- Internal security audit (Crawl4AI maintainers) - the env: arbitrary-variable read.
Fix
SSRF
Insufficiently Protected Credentials
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Crawl4Ai