CVE-2026-26217

Name of the Vulnerable Software and Affected Versions Crawl4AI versions prior to 0.8.0

Description Crawl4AI is affected by a local file inclusion issue in its Docker API deployment. The /execute js, /screenshot, /pdf, and /html API endpoints accept file:// URLs, which allows unauthenticated remote attackers to read arbitrary files from the server filesystem. An attacker can access sensitive files such as /etc/passwd, /etc/shadow, application configuration files, and environment variables via /proc/self/environ, potentially exposing credentials, API keys, and internal application structure. An example attack vector involves sending a POST request to the /execute js endpoint with a url parameter set to file:///etc/passwd and a scripts parameter.

Recommendations Versions prior to 0.8.0: Disable the Docker API. Versions prior to 0.8.0: Add authentication to the API. Versions prior to 0.8.0: Use network-level filtering.