Critical Crawl4AI Docker API flaws enabled unauthenticated RCE and file abuse
Crawl4AI disclosed critical vulnerabilities in its Docker API server affecting versions 0.8.6 and earlier, including an AST sandbox escape in the computed fields feature that allowed unauthenticated remote code execution through the /crawl endpoint. The flaw let attackers abuse Python generator and frame attributes such as gi_frame, f_back, and f_builtins to reach __import__ and run arbitrary OS commands inside the container. Additional reported weaknesses in the network-exposed API included unsafe code execution controls, server-side request forgery, missing authentication protections, hardcoded credentials, and improper path sanitization affecting endpoints including /screenshot, /pdf, /crawl, and /execute_js.
The project patched the issues in version 0.8.7 by removing eval() from the computed-field execution path, replacing the prior underscore-based attribute blocklist with a stricter allowlist, tightening _safe_eval_config, and removing dangerous built-ins from the hook manager. The update also added path validation to stop traversal-style file writes and introduced adversarial security tests covering the reported exploit chains. Maintainers advised users to upgrade immediately, enable JWT authentication with CRAWL4AI_API_TOKEN, configure secrets securely, restrict network exposure of the Docker API, and disable JavaScript execution where it is not required.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Report details multiple Crawl4AI Docker API vulnerabilities
A later report described multiple critical and high-severity vulnerabilities in Crawl4AI Docker API server versions 0.8.6 and earlier, including path sanitization flaws, missing authentication dependencies, hardcoded credentials, SSRF, and unsafe code execution controls. It noted that version 0.8.7 added path validation to block traversal patterns and highlighted exposed endpoints such as `/screenshot`, `/pdf`, `/crawl`, and `/execute_js`.
GitHub advisory discloses pre-auth RCE in Crawl4AI Docker API
A GitHub security advisory disclosed that Crawl4AI versions 0.8.6 and earlier contained a critical sandbox escape in computed fields that allowed unauthenticated remote code execution through crafted requests to `/crawl`. The advisory said the issue was fixed by removing `eval()` from the computed field path, hardening `/config/dump` handling, and tightening the hook manager sandbox.
Security hardening patch merged for Crawl4AI sandbox escape
A pull request introduced fixes to harden `_safe_eval_expression` against sandbox escapes by replacing the underscore-prefix blocklist with an attribute allowlist and restricting exploit primitives such as lambdas, generators, comprehensions, and subscript-based calls. Follow-up changes also removed `eval()` from computed fields, hardened `_safe_eval_config`, removed dangerous built-ins from the hook manager, and added adversarial security tests.
Sources
3 references tracked. Mallory keeps watching after this page renders.
GHSA-365W-HQF6-VXFG: GHSA-365w-hqf6-vxfg: Multiple Critical Vulnerabilities in Crawl4AI Docker API Server | CVEReports
cvereports.com
Open sourceAST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API · Advisory · unclecode/crawl4ai · GitHub
github.com
Open sourcefix(security): harden _safe_eval_expression with attribute allowlist by ntohidi · Pull Request #1886 · unclecode/crawl4ai · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Vulnerabilities in Anthropic Claude Code Enable RCE and API Key Theft via Malicious Repositories
**Check Point Research** disclosed multiple critical vulnerabilities in Anthropic’s *Claude Code* AI coding assistant that could allow **remote code execution** and **credential theft** when a developer clones and opens an **untrusted repository**. The reported attack path abuses repository-controlled configuration and automation features (including **Hooks**, **MCP servers**, and **environment variables**) to trigger hidden shell command execution and to exfiltrate **Anthropic API credentials**, potentially enabling a pivot from a developer workstation into broader enterprise environments where Claude-related workflows and shared resources are accessible. The issues include consent-bypass and command-execution weaknesses tracked under **CVE-2025-59536** (covering closely related flaws involving repository configuration executing commands without adequate user consent) and an API credential exposure issue tracked as **CVE-2026-21852**, which affected *Claude Code* versions prior to **2.0.65** and enabled API key theft via malicious project configurations. Anthropic has **patched** the vulnerabilities and advised users to update to the latest version, while indicating additional hardening measures are planned to reduce supply-chain risk from malicious commits and repository-level configuration abuse.
Apr 6, 2026
Critical Command Injection Vulnerability in Cybersecurity AI (CAI) Framework
A critical command injection vulnerability, tracked as CVE-2025-67511, has been identified in the open-source Cybersecurity AI (CAI) framework, which is used for building and deploying AI-powered offensive and defensive automation. The flaw exists in the `run_ssh_command_with_credentials()` function, where only the password and command inputs are properly escaped, leaving the username, host, and port parameters vulnerable to injection. This allows attackers to craft malicious inputs that can execute arbitrary shell commands via AI agents, potentially compromising affected systems remotely. The vulnerability affects all CAI versions up to and including 0.5.9, and no official fix or patch is available as of the latest reports. The issue is classified as critical, with a CVSS v3.1 base score of 9.6 or higher, reflecting the high risk to confidentiality, integrity, and availability. Exploitation requires user interaction, likely through the AI agent's command execution interface, but does not require authentication or elevated privileges. Security advisories recommend that organizations using CAI implement compensating controls and monitor for suspicious activity, as the vulnerability is remotely exploitable and no mitigation has been released. The lack of a patch increases the urgency for defensive measures to prevent potential exploitation in production environments.
Mar 21, 2026
Docker Engine AuthZ Bypass Flaw Enables Host Access via Oversized API Requests
Docker disclosed a high-severity Docker Engine vulnerability, **CVE-2026-34040** (`CVSS 8.8`), that allows attackers to bypass authorization plugins and perform actions that should be blocked. The flaw stems from an incomplete fix for **CVE-2024-41110** and is triggered when a specially crafted oversized Docker API request causes the request body to be dropped before inspection by an AuthZ plugin. In affected environments, the plugin may approve container operations it would otherwise deny, opening a path to unauthorized privileged actions and potential host compromise. Researchers said an attacker with Docker API access could exploit the bug by padding a container-creation request beyond **1 MB** to launch a privileged container with access to the host filesystem, exposing sensitive assets such as **AWS credentials**, **SSH keys**, and **Kubernetes configurations**. The issue affects deployments that rely on authorization plugins inspecting request bodies, while environments not using those plugins are not impacted. Docker patched the vulnerability in **Docker Engine 29.3.1** and urged defenders to upgrade, restrict Docker API access, avoid AuthZ plugins that depend on request-body inspection, and use controls such as rootless mode, user namespace remapping, and least-privilege access to reduce risk.
Apr 8, 2026