Description
Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.7, the _safe_eval_expression() function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes (gi_frame, f_back, f_builtins) do NOT start with underscore, enabling a complete sandbox escape to achieve arbitrary code execution. The attack requires no authentication (JWT disabled by default) and is triggered via POST /crawl with a crafted extraction schema. This vulnerability is fixed in 0.8.7.
Published: 2026-06-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Crawl4AI is an open‑source LLM‑friendly web crawler and scraper. Before version 0.8.7, its _safe_eval_expression() function, used in computed fields, only blocked attributes starting with an underscore. Python’s generator and frame object attributes (gi_frame, f_back, f_builtins) do not start with underscore, permitting a complete AST sandbox escape that enables arbitrary code execution. The flaw is triggered via a POST to /crawl with a crafted extraction schema and requires no authentication because the JWT feature is disabled by default. If exploited, an attacker can execute any command on the host running Crawl4AI, resulting in total compromise of confidentiality, integrity, and availability.

Affected Systems

Any installation of Crawl4AI older than version 0.8.7 is affected. The product, provided by unclecode, was released before the 0.8.7 update that addressed the sandbox escape. The vulnerability is exploited when Crawl4AI is exposed.

Risk and Exploitability

With a CVSS score of 9.8, this vulnerability is considered critical. No EPSS score is published, but the lack of authentication and the straightforward POST interface suggest a high likelihood of not listed in the CISA KEV catalog, yet the severity and access conditions imply that it should receive immediate attention. The attack vector is clear: a malicious requester can send a specially crafted POST payload to /crawl and gain code execution on the host running Crawl4AI.

Generated by OpenCVE AI on June 24, 2026 at 10:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Crawl4AI to 0.8.7 or later, which applies the fix for CWE‑913 (arbitrary code execution) and CWE‑94 (input validation).
  • If an upgrade is not immediately possible, restrict access to the /crawl endpoint to authorized users only, employing firewall rules or network segmentation to limit exposure.
  • Enable and enforce JWT authentication to require clients to present a valid token before the API accepts POST requests, thereby reducing the risk profile associated with CWE‑913.

Generated by OpenCVE AI on June 24, 2026 at 10:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qxjp-w3pj-48m7 Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API
History

Tue, 23 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Unclecode
Unclecode crawl4ai
Vendors & Products Unclecode
Unclecode crawl4ai

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.7, the _safe_eval_expression() function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes (gi_frame, f_back, f_builtins) do NOT start with underscore, enabling a complete sandbox escape to achieve arbitrary code execution. The attack requires no authentication (JWT disabled by default) and is triggered via POST /crawl with a crafted extraction schema. This vulnerability is fixed in 0.8.7.
Title Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API
Weaknesses CWE-913
CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Unclecode Crawl4ai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T18:55:22.278Z

Reserved: 2026-06-10T17:48:40.546Z

Link: CVE-2026-53753

cve-icon Vulnrichment

Updated: 2026-06-23T18:54:09.147Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:15:05Z

Weaknesses
  • CWE-913

    Improper Control of Dynamically-Managed Code Resources

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')