CVE-2026-26216

CriticalPublic PoC

Published: 12 February 2026

Published

12 February 2026

Modified

20 February 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0032 54.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec(). The __import__ builtin was included in the allowed builtins,…

allowing unauthenticated remote attackers to import arbitrary modules and execute system commands. Successful exploitation allows full server compromise, including arbitrary command execution, file read and write access, sensitive data exfiltration, and lateral movement within internal networks.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the RCE flaw in Crawl4AI by requiring timely identification, reporting, and patching to version 0.8.0 or later.

SI-10 Information Input Validation good match

prevent

Validates user-supplied hooks parameter to the /crawl endpoint, preventing injection and execution of arbitrary Python code via exec().

SC-14 Public Access Protections good match

prevent

Enforces authorizations and protections at the publicly accessible Docker API /crawl endpoint, blocking unauthenticated remote code execution.

Security SummaryAI

CVE-2026-26216 is a remote code execution vulnerability in Crawl4AI versions prior to 0.8.0, specifically within its Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec(), with the __import__ builtin included among the allowed builtins. This allows attackers to import arbitrary modules and execute system commands, as classified under CWE-94 (Code Injection).

Unauthenticated remote attackers can exploit the vulnerability over the network with low attack complexity and no user interaction or privileges required, earning a maximum CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Successful exploitation results in full server compromise, including arbitrary command execution, file read and write access, sensitive data exfiltration, and lateral movement within internal networks.

The GitHub security advisory (GHSA-5882-5rx9-xgxp) and release notes for Crawl4AI v0.8.0 address the issue, with mitigation achieved by upgrading to version 0.8.0 or later. Further technical details on the vulnerability and remediation are provided in the VulnCheck advisory.

Details

CWE(s): CWE-94

Affected Products

kidocode

crawl4ai

≤ 0.8.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables unauthenticated RCE via public-facing /crawl API endpoint (T1190) by injecting and executing arbitrary Python code with exec() (T1059.006), leading to system command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/unclecode/crawl4ai/blob/main/docs/blog/release-v0.8.0.md
Release Notes · disclosure@vulncheck.com
https://github.com/unclecode/crawl4ai/security/advisories/GHSA-5882-5rx9-xgxp
Mitigation, Vendor Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/crawl4ai-docker-api-unauthenticated-remote-code-execution-via-hooks-parameter
Third Party Advisory · disclosure@vulncheck.com