CVE-2026-57573

Severity CVSS v4.0:
Pending analysis
Type:
CWE-918 Server-Side Request Forgery (SSRF)
Publication date:
06/07/2026
Last modified:
07/07/2026

Description

Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, the Docker API server applied its SSRF destination check on the non-streaming /crawl path but not on the streaming path. handle_stream_crawl_request passed seed URLs straight to the crawler with no destination validation, allowing a remote unauthenticated client to call POST /crawl/stream or POST /crawl with crawler_config.stream=true with a URL pointing at an internal, private, or link-local address; the server fetched it and streamed the response body back. This issue is fixed in version 0.9.0.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:kidocode:crawl4ai:*:*:*:*:*:*:*:* 0.9.0 (excluding)