Plattform
python
Komponente
crawl4ai
Behoben in
0.8.0
0.8.1
0.8.0
CVE-2026-26217 describes a Local File Inclusion (LFI) vulnerability within the Crawl4AI Docker API. This flaw allows unauthenticated attackers to read arbitrary files from the server's filesystem by exploiting the /execute_js, /screenshot, /pdf, and /html endpoints. The vulnerability impacts versions of Crawl4AI up to and including 0.7.8, with a fix available in version 0.8.0.
The impact of this LFI vulnerability is significant. An attacker can leverage it to read sensitive files such as /etc/passwd and /etc/shadow, potentially exposing user credentials. They can also access environment variables through /proc/self/environ, revealing internal application configurations and API keys. This information could be used for further exploitation, including privilege escalation and data exfiltration. The ability to read arbitrary files provides a broad attack surface, allowing attackers to map the internal structure of the application and identify other potential vulnerabilities.
This vulnerability was publicly disclosed on January 16, 2026. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the potential for significant data exposure make it a high-priority concern. The provided proof-of-concept demonstrates the vulnerability's simplicity. It is not currently listed on CISA KEV, but its severity warrants monitoring.
Organizations deploying Crawl4AI in environments where sensitive data is stored on the server filesystem are at significant risk. This includes development environments, testing environments, and production deployments where the API is exposed without proper access controls. Shared hosting environments utilizing Crawl4AI are also particularly vulnerable, as a compromise of one container could potentially expose data from other containers on the same host.
• linux / server:
journalctl -u crawl4ai | grep -i "file://"• generic web:
curl -I 'http://your-crawl4ai-server/execute_js?url=file:///etc/passwd' • generic web:
grep "file://" /var/log/nginx/access.logdisclosure
Exploit-Status
EPSS
0.07% (20% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-26217 is to upgrade Crawl4AI to version 0.8.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. These include restricting access to the vulnerable endpoints through a Web Application Firewall (WAF) or proxy server, configuring strict input validation to prevent file:// URLs, and monitoring system logs for suspicious activity. Specifically, block requests containing file:// in the URL. After upgrading, verify the fix by attempting to access sensitive files via the vulnerable endpoints and confirming that access is denied.
Actualice Crawl4AI a la versión 0.8.0 o posterior. Esta versión corrige la vulnerabilidad de inclusión de archivos locales. La actualización se puede realizar descargando la nueva versión desde el repositorio oficial y reemplazando la instalación existente.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-26217 is a Local File Inclusion vulnerability in Crawl4AI versions up to 0.7.8, allowing attackers to read arbitrary files from the server.
Yes, if you are running Crawl4AI version 0.7.8 or earlier, you are affected by this vulnerability.
Upgrade Crawl4AI to version 0.8.0 or later to remediate the vulnerability. Implement WAF rules to block file:// URLs as a temporary workaround.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation warrants immediate attention and mitigation.
Refer to the Crawl4AI project's official channels (GitHub repository, project website) for the latest advisory and security updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.