CVE-2026-56261: Crawl4AI - Server-Side Request Forgery via Webhook URLs
Crawl4AI before 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing to private or internal IP ranges, Docker networks, or cloud metadata endpoints (e.g. 169.254.169.254), causing the server to make requests to internal services and potentially expose cloud metadata.
Security readout for executives and security teams
Plain-English summary
Crawl4AI’s Docker API server could be tricked into making webhook requests to internal systems. In cloud or container environments, this may expose sensitive metadata or internal services that attackers could not reach directly.
Executive priority
Treat this as urgent for internet-facing or shared Crawl4AI deployments, especially in cloud environments. Prioritize version verification, endpoint access control, and egress restrictions because the potential impact is sensitive metadata exposure.
Technical view
CVE-2026-56261 is a CWE-918 SSRF in Crawl4AI before 0.8.7. The /crawl/job and /llm/job endpoints accept webhook URLs without destination validation, allowing requests to private IP ranges, Docker networks, or cloud metadata endpoints. CVSS v4.0 score is 9.2.
Likely exposure
Exposure is most likely where the Crawl4AI Docker API server is deployed and job endpoints accept requests from untrusted users or networks. Cloud-hosted and containerized deployments with access to metadata endpoints or private internal networks carry the highest impact.
Exploitation context
The source bundle does not show CISA KEV listing or confirmed active exploitation. The weakness is remotely reachable according to CVSS, requires no privileges or user interaction, and could disclose high-value internal or cloud metadata if exposed.
Researcher notes
The available evidence identifies the vulnerable endpoints and impact class, but not detailed patch mechanics. Avoid assuming exploit availability. Focus validation on reachable Docker API deployments, webhook URL trust boundaries, and whether the process can reach internal or metadata services.
Mitigation direction
Upgrade Crawl4AI to version 0.8.7 or later where applicable.
Restrict access to the Docker API server job endpoints.
Block outbound requests from Crawl4AI to private and metadata IP ranges.
Review vendor advisory guidance before relying on compensating controls.
Segment Crawl4AI from sensitive internal services where possible.
Validation and detection
Inventory Crawl4AI deployments and confirm running versions.
Check whether /crawl/job or /llm/job are reachable by untrusted users.
Review webhook handling for destination validation controls.
Inspect logs for webhook URLs targeting private, Docker, or metadata ranges.
Confirm egress rules block metadata and internal-only destinations.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-918: Information exposure and cloud metadata lookup
Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references SSRF or metadata access, so cloud discovery and credential material review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-918 · source CWE mapping
Server-Side Request Forgery (SSRF)
Server-Side Request Forgery (SSRF) represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.