What happened
Crawl4AI before 0.8.7 contains an SSRF vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints. The internal-address blocklist uses IPv4/IPv6 CIDR-based filtering but can be bypassed using IPv6-mapped IPv4 addresses (e.g. ::ffff:169.254.169.254 for cloud metadata). Unauthenticated attackers can reach internal services. CVSS 8.6 High, published 2026-06-22.
Why it matters
The /llm endpoint is specifically designed to produce LLM-ready output — meaning attackers can force Crawl4AI to scrape internal cloud metadata, IMDS credentials, and internal AI services, with the results returned in clean LLM-formatted output. The Docker API is unauthenticated by default, making this a zero-auth SSRF against AI data pipelines.
Attack vector
Unauthenticated POST to /crawl, /crawl/stream, /md, or /llm with IPv6-mapped IPv4 address (::ffff:169.254.169.254) bypassing the blocklist and reaching cloud metadata or internal services
Affected systems
Crawl4AI < 0.8.7
Mitigation
Upgrade to Crawl4AI 0.8.7. Source: https://github.com/unclecode/crawl4ai