CVE-2026-26216 – Crawl4AI versions before 0.8.0 contain an unaut... (How to Fix)

Q: What is the severity of CVE-2026-26216?

CVE-2026-26216 has a CVSS score of 10.0 (CRITICAL). Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the Docker API deployment. Attackers can send malicious Python code via the /crawl endpoint's hooks parameter, which gets executed with exec() and allows importing arbitrary modules to run system commands. This affects all deployments using vulnerable versions of Crawl4AI's Docker API.

📋 TL;DR

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the Docker API deployment. Attackers can send malicious Python code via the /crawl endpoint's hooks parameter, which gets executed with exec() and allows importing arbitrary modules to run system commands. This affects all deployments using vulnerable versions of Crawl4AI's Docker API.

💻 Affected Systems

Products:

Crawl4AI

Versions: All versions prior to 0.8.0

Operating Systems: Any OS running Docker

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Docker API deployments of Crawl4AI, not necessarily all installations.

📦 What is this software?

Crawl4ai by Kidocode

View all CVEs affecting Crawl4ai →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing arbitrary command execution, sensitive data exfiltration, file system access, and lateral movement within internal networks.

🟠

Likely Case

Remote attackers gain shell access to the container/host, install persistence mechanisms, and steal sensitive data.

🟢

If Mitigated

If properly patched and network-restricted, impact is limited to denial of service or limited data exposure.

🌐 Internet-Facing: HIGH - Unauthenticated RCE accessible via HTTP endpoint makes internet-facing deployments extremely vulnerable.

🏢 Internal Only: HIGH - Even internal deployments are vulnerable to any network-accessible attacker.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests with malicious Python code in hooks parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.0

Vendor Advisory: https://github.com/unclecode/crawl4ai/security/advisories/GHSA-5882-5rx9-xgxp

Restart Required: Yes

Instructions:

1. Update Crawl4AI to version 0.8.0 or later. 2. Rebuild and redeploy Docker containers. 3. Verify the hooks parameter no longer accepts arbitrary Python code.

🔧 Temporary Workarounds

Network Restriction

linux

Restrict access to Crawl4AI Docker API endpoints using firewall rules or network policies.

iptables -A INPUT -p tcp --dport [CRAWL4AI_PORT] -s [TRUSTED_IPS] -j ACCEPT
iptables -A INPUT -p tcp --dport [CRAWL4AI_PORT] -j DROP

Docker Network Isolation

linux

Run Crawl4AI container on isolated Docker network with no external exposure.

docker network create --internal crawl4ai-network
docker run --network crawl4ai-network crawl4ai

🧯 If You Can't Patch

Immediately restrict network access to only trusted IP addresses using firewall rules.
Monitor logs for suspicious requests to /crawl endpoint with hooks parameter containing Python code.

🔍 How to Verify

Check if Vulnerable:

Check if running Crawl4AI version <0.8.0 in Docker deployment with /crawl endpoint accessible.

Check Version:

docker exec [container_name] python -c "import crawl4ai; print(crawl4ai.__version__)"

Verify Fix Applied:

Confirm version is 0.8.0+ and test that hooks parameter no longer executes arbitrary Python code.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /crawl with hooks parameter containing import statements or system commands
Unusual process execution from Crawl4AI container

Network Indicators:

Outbound connections from Crawl4AI container to unexpected destinations
Large data exfiltration from container

SIEM Query:

source="crawl4ai" AND (url_path="/crawl" AND request_body CONTAINS "__import__" OR request_body CONTAINS "os.system" OR request_body CONTAINS "subprocess")

📊 Metadata

CVE ID: CVE-2026-26216

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.2% exploit probability (42.1th percentile)

Published: February 12, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/unclecode/crawl4ai/blob/main/docs/blog/release-v0.8.0.md Release Notes
https://github.com/unclecode/crawl4ai/security/advisories/GHSA-5882-5rx9-xgxp Mitigation,Vendor Advisory
https://www.vulncheck.com/advisories/crawl4ai-docker-api-unauthenticated-remote-code-execution-via-hooks-parameter Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26216, you might also want to check these: