MEDIUM 6.5

PYSEC-2026-229

Details

Crawl4AI before 0.8.7 contains an authentication bypass vulnerability in the monitor router endpoints that allows unauthenticated attackers to access destructive operations. Remote attackers can invoke the /monitor/actions/cleanup endpoint and manipulate monitoring state without authentication, causing service disruption.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / crawl4ai

Introduced in: 0 Fixed in: 0.8.7

Fix pip install --upgrade 'crawl4ai>=0.8.7'

References

https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg [ADVISORY]
https://www.vulncheck.com/advisories/crawl4ai-unauthenticated-access-to-monitor-endpoints-via-docker-api-server [ADVISORY]
https://github.com/unclecode/crawl4ai [PACKAGE]