Crawl4AI < 0.8.0 Docker API Local File Inclusion via file...

9.2 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Description

Crawl4AI versions prior to 0.8.0 contain a local file inclusion vulnerability in the Docker API deployment. The /execute_js, /screenshot, /pdf, and /html endpoints accept file:// URLs, allowing unauthenticated remote attackers to read arbitrary files from the server filesystem. An attacker can access sensitive files such as /etc/passwd, /etc/shadow, application configuration files, and environment variables via /proc/self/environ, potentially exposing credentials, API keys, and internal application structure.

AI Analysis

Local file inclusion vulnerability in Docker API deployment, allowing unauthenticated remote attackers to read arbitrary files from the server filesystem.

Basic Information

ID CVE-2026-26217

Source VulnCheck

Published Feb 12, 2026 at 15:33

Modified Feb 12, 2026 at 15:54

Affected Product

Vendor unclecode

Product Crawl4AI

Affected Versions unclecode Crawl4AI 0

CWE Classification

CWE-22

AI Assessment

AI Score 9.2 / 10

AI Severity Critical

Vendor unclecode

Product Crawl4AI

Version < 0.8.0

References

{
    "lastseen": "",
    "description": "Crawl4AI versions prior to 0.8.0 contain a local file inclusion vulnerability in the Docker API deployment. The /execute_js, /screenshot, /pdf, and /html endpoints accept file:// URLs, allowing unauthenticated remote attackers to read arbitrary files from the server filesystem. An attacker can access sensitive files such as /etc/passwd, /etc/shadow, application configuration files, and environment variables via /proc/self/environ, potentially exposing credentials, API keys, and internal application structure.",
    "published": "2026-02-12T15:33:27.454Z",
    "modified": "2026-02-12T15:54:14.790Z",
    "type": "cve",
    "title": "Crawl4AI < 0.8.0 Docker API Local File Inclusion via file URL Handling",
    "source": "VulnCheck",
    "references": "https://github.com/unclecode/crawl4ai/security/advisories/GHSA-vx9w-5cx4-9796\nhttps://github.com/unclecode/crawl4ai/blob/main/docs/blog/release-v0.8.0.md\nhttps://www.vulncheck.com/advisories/crawl4ai-docker-api-local-file-inclusion-via-file-url-handling",
    "id": "CVE-2026-26217",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "unclecode Crawl4AI 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.2,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Crawl4AI",
    "version": "0",
    "vendor": "unclecode",
    "ai_description": "Local file inclusion vulnerability in Docker API deployment, allowing unauthenticated remote attackers to read arbitrary files from the server filesystem.",
    "ai_severity": "Critical",
    "ai_vendor": "unclecode",
    "ai_product": "Crawl4AI",
    "ai_version": "< 0.8.0",
    "ai_score": 9.2
}

Crawl4AI < 0.8.0 Docker API Local File Inclusion via file URL Handling_CVE-2026-26217