Platform
python
Component
crawl4ai
Fixed in
0.8.0
0.8.1
0.8.0
CVE-2026-26217 describes a Local File Inclusion (LFI) vulnerability within the Crawl4AI Docker API. This flaw allows unauthenticated attackers to read arbitrary files from the server's filesystem by exploiting the /execute_js, /screenshot, /pdf, and /html endpoints. The vulnerability impacts versions of Crawl4AI up to and including 0.7.8, and a fix is available in version 0.8.0.
The LFI vulnerability in Crawl4AI poses a significant risk to systems running the affected Docker API. An attacker can leverage this flaw to read sensitive files such as /etc/passwd and /etc/shadow, potentially gaining access to user account information. Furthermore, they can access environment variables via /proc/self/environ, revealing internal application configurations, credentials, and API keys. This information could be used for further exploitation, including lateral movement within the network and data exfiltration. The ability to read application structure also provides valuable reconnaissance data for future attacks.
CVE-2026-26217 was publicly disclosed on January 16, 2026. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the potential for significant data exposure make this a concerning vulnerability. There are currently no known public proof-of-concept exploits, but the provided example payload demonstrates the vulnerability's simplicity. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-26217 is to upgrade Crawl4AI to version 0.8.0 or later, which contains the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restrict access to the vulnerable endpoints (/execute_js, /screenshot, /pdf, /html) using a Web Application Firewall (WAF) or proxy server. Configure the WAF to block requests containing file:// URLs. Monitor system logs for suspicious activity, particularly attempts to access unusual files. After upgrading, confirm the vulnerability is resolved by attempting to access a sensitive file (e.g., /etc/passwd) through the vulnerable endpoints and verifying that access is denied.
Actualice Crawl4AI a la versión 0.8.0 o posterior. Esta versión corrige la vulnerabilidad de inclusión de archivos locales. La actualización se puede realizar descargando la nueva versión desde el repositorio oficial y reemplazando la instalación existente.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26217 is a Local File Inclusion vulnerability in Crawl4AI versions up to 0.7.8, allowing attackers to read arbitrary files from the server.
Yes, if you are running Crawl4AI version 0.7.8 or earlier, you are affected by this vulnerability.
Upgrade Crawl4AI to version 0.8.0 or later to remediate the vulnerability. Implement WAF rules to block file:// URLs as a temporary workaround.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation warrants immediate attention and mitigation.
Refer to the Crawl4AI project's official channels (GitHub repository, project website) for the latest advisory and security updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.