Crawl4AI < 0.8.0 Docker API Unauthenticated Remote Code Execution via Hooks Parameter

Advisories

severity: critical
date: 2/12/2026
Affecting: Crawl4AI < 0.8.0
CVE: CVE-2026-26216
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSS: 10
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References: Crawl4AI GitHub Security Advisory
Crawl4AI GitHub v0.8.0 Release Notes
Credit: Neo by ProjectDiscovery (https://neo.projectdiscovery.io)
Description: Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec(). The __import__ builtin was included in the allowed builtins, allowing unauthenticated remote attackers to import arbitrary modules and execute system commands. Successful exploitation allows full server compromise, including arbitrary command execution, file read and write access, sensitive data exfiltration, and lateral movement within internal networks.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo