Description
Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected functionality.
Published: 2026-06-21
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a hardcoded default JWT signing key in the Crawl4AI Docker API server. Attackers who know the key can forge authentication tokens for any user, bypassing authentication and gaining full system access. This is a critical flaw identified as CWE-798.

Affected Systems

Crawl4AI software prior to version 0.8.7. All releases before 0.8.7 use the default key and are vulnerable.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. EPSS information is not available and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers can exploit the flaw remotely via the exposed Docker API; the only prerequisite is knowledge of the hardcoded key, which is publicly known in the source code.

Generated by OpenCVE AI on June 21, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Crawl4AI to version 0.8.7 or later where the hardcoded key has been removed.
  • If upgrading is not possible immediately, reconfigure the application to use a unique, secure JWT signing key instead of the default.
  • Restrict network access to the Docker API server to trusted hosts only and apply firewall rules.
  • As a temporary fix, manually replace the hardcoded key in the configuration and restart the service, but plan an upgrade.

Generated by OpenCVE AI on June 21, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Crawl4ai
Crawl4ai crawl4ai
Vendors & Products Crawl4ai
Crawl4ai crawl4ai

Mon, 22 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected functionality.
Title Crawl4AI - Authentication Bypass via Hardcoded JWT Signing Key
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Crawl4ai Crawl4ai
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T10:43:47.773Z

Reserved: 2026-06-20T01:42:20.615Z

Link: CVE-2026-56265

cve-icon Vulnrichment

Updated: 2026-06-22T10:43:04.969Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:03:49Z

Weaknesses
  • CWE-798

    Use of Hard-coded Credentials