Vulnerability  ·  2026-07-13

Crawl4AI Docker API Credential Exfiltration via LLM Endpoint base_url/api_token Manipulation

VulnerabilityHigh impactGlobalCVE-2026-56259
Crawl4AI's Docker API server (before 0.8.8) allowed unauthenticated redirection of LLM API traffic and disclosure of arbitrary environment variables via crafted base_url/api_token parameters on its /md, /llm, and /llm/job endpoints, enabling theft of provider API keys and the signing secret used for auth tokens.
Leaking the JWT SECRET_KEY allows full authentication bypass against the service, while LLM provider key theft enables attacker-controlled billing abuse and further pivoting — a high-severity credential exfiltration bug in a widely used AI web-crawling/LLM-extraction tool.
Unauthenticated attackers can call the exposed /md, /llm, and /llm/job endpoints with a malicious base_url parameter to redirect LLM API calls to an attacker-controlled endpoint, and set api_token to env:VARIABLE_NAME to read arbitrary server-side environment variables — exfiltrating LLM provider API keys and the JWT SECRET_KEY used for authentication.
Crawl4AI before 0.8.8 (Docker API server)
Upgrade Crawl4AI to 0.8.8 or later; do not expose the Docker API server unauthenticated; rotate any LLM provider keys and JWT secrets that may have been exposed.
GitHub Security Advisory GHSA-f989-c77f-r2cqVulnCheck Advisory
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →