VDB
KO
HIGH 8.6

PYSEC-2026-596

Details

Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4 addresses to reach internal services and cloud metadata endpoints.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / crawl4ai
Introduced in: 0 Fixed in: 0.8.7
Fix pip install --upgrade 'crawl4ai>=0.8.7'

References