CVE-2026-56265

Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected functionality.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/unclecode/crawl4ai	Product
https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg	Mitigation Vendor Advisory
https://www.vulncheck.com/advisories/crawl4ai-authentication-bypass-via-hardcoded-jwt-signing-key	Third Party Advisory
https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:kidocode:crawl4ai:*:*:*:*:*:*:*:*

History

26 Jun 2026, 13:52

Type	Values Removed	Values Added
First Time		Kidocode Kidocode crawl4ai
CPE		cpe:2.3:a:kidocode:crawl4ai::::::::
References	~~() https://github.com/unclecode/crawl4ai -~~	() https://github.com/unclecode/crawl4ai - Product
References	~~() https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg -~~	() https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg - Mitigation, Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/crawl4ai-authentication-bypass-via-hardcoded-jwt-signing-key -~~	() https://www.vulncheck.com/advisories/crawl4ai-authentication-bypass-via-hardcoded-jwt-signing-key - Third Party Advisory

22 Jun 2026, 12:16

Type	Values Removed	Values Added
References	~~() https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg -~~	() https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg -

21 Jun 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-21 14:16

Updated : 2026-06-26 13:52

NVD link : CVE-2026-56265

Mitre link : CVE-2026-56265

CVE.ORG link : CVE-2026-56265

JSON object : View

Products Affected

kidocode

crawl4ai

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2026-56265", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-56265", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "yes"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-06-22T10:43:38.300741Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "disclosure@vulncheck.com", "affectedData": [{"vendor": "Crawl4AI", "product": "Crawl4AI", "versions": [{"status": "affected", "version": "0", "lessThan": "0.8.7", "versionType": "semver"}, {"status": "unaffected", "version": "0.8.7", "versionType": "semver"}], "packageURL": "pkg:pypi/crawl4ai", "defaultStatus": "unaffected"}]}], "published": "2026-06-21T14:16:24.980", "references": [{"url": "https://github.com/unclecode/crawl4ai", "tags": ["Product"], "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg", "tags": ["Mitigation", "Vendor Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/crawl4ai-authentication-bypass-via-hardcoded-jwt-signing-key", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg", "tags": ["Mitigation", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected functionality."}], "lastModified": "2026-06-26T13:52:16.050", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kidocode:crawl4ai:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C153B68-AA3F-4755-BA13-E98AAB321695", "versionEndExcluding": "0.8.7"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}