Security Advisory - Published 2026-06-22 - Crawl4AI / Docker API
Crawl4AI CVE-2026-56265: check Docker API exposure and rotate secrets
Crawl4AI before 0.8.7 can leave the Docker API server exposed through an unsafe default JWT signing key. Patch to 0.8.7 or newer, rotate secrets, and review API access before putting the service back on a public network.
Affected version
| CVE | Product | Affected | CVSS |
|---|---|---|---|
| CVE-2026-56265 | Crawl4AI | < 0.8.7 | 9.8 |
Owner self-check
docker ps | grep -i crawl4ai
docker inspect $(docker ps -q --filter name=crawl4ai) 2>/dev/null | egrep -i 'JWT|SECRET|TOKEN|PORT|HostPort'
ss -lntp | egrep 'crawl4ai|docker|11235|8000|8080'
docker logs --since 7d $(docker ps -q --filter name=crawl4ai) 2>/dev/null | egrep -i 'auth|jwt|token|admin|error|warning'What to review
- Crawl4AI version and image digest actually running in Docker.
- Whether the Docker API server or Crawl4AI API port was reachable from the internet.
- JWT signing key, API tokens, admin users, worker jobs, and recent crawl jobs.
- Unexpected API calls, new tasks, changed configuration, or outbound requests during the exposure window.
Safe fix path
- Upgrade Crawl4AI to 0.8.7 or newer and redeploy every container using the old image.
- Set a fresh JWT signing secret and rotate API credentials used by Crawl4AI.
- Bind the API to a private interface or put it behind authentication and IP restrictions.
- Review logs before deleting containers; short-lived containers can be the only evidence.
Repair help
Use Ping7 CVE Repair when Crawl4AI was public, API logs show unknown users, or crawl jobs may have touched internal systems.