Vulnerability  ·  2026-07-07

Crawl4AI Docker API — Unconfined Path Traversal in Downloaded-File Naming

VulnerabilityHigh impactGlobalCVE-2026-57571
Crawl4AI's file-download handling used attacker-influenced filenames without validating or confining the resulting path, allowing arbitrary file write via path traversal or absolute-path filenames — which in combination with other primitives (e.g., writing to a startup script or cron location) can escalate to code execution.
Combined with the companion RCE (CVE-2026-57572) and SSRF bypass (CVE-2026-57573) disclosed the same day, this gives attackers multiple chained paths to fully compromise Crawl4AI-based AI content pipelines — a single vendor disclosure batch representing a critical, multi-vector compromise of a widely-deployed AI crawling tool.
When the crawler saves a downloaded file, the destination filename is taken from attacker-influenced input and joined to the downloads directory with no path confinement, so a filename containing an absolute path or '../' traversal sequence writes outside the intended download directory.
Crawl4AI (unclecode/crawl4ai) Docker API server, versions prior to 0.9.0
Upgrade to Crawl4AI >= 0.9.0. Sandbox/containerize crawl workers and restrict filesystem write scope for the crawl process.
NVD CVE-2026-57571Crawl4AI fix commit
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →