Impact
The vulnerability is a hardcoded default JWT signing key in the Crawl4AI Docker API server. Attackers who know the key can forge authentication tokens for any user, bypassing authentication and gaining full system access. This is a critical flaw identified as CWE-798.
Affected Systems
Crawl4AI software prior to version 0.8.7. All releases before 0.8.7 use the default key and are vulnerable.
Risk and Exploitability
The CVSS score of 9.3 indicates a critical severity. EPSS information is not available and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers can exploit the flaw remotely via the exposed Docker API; the only prerequisite is knowledge of the hardcoded key, which is publicly known in the source code.
OpenCVE Enrichment