CVE-2026-56265
published 2026-06-21CVE-2026-56265: Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.41%
32.5th percentile
Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected functionality.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crawl4ai | crawl4ai | < 0.8.7 | 0.8.7 |
| kidocode | crawl4ai | < 0.8.7 | 0.8.7 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server.
ghsa_unreviewed·2026-06-21
CVE-2026-56265 [CRITICAL] CWE-798 Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server.
Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected functionality.
VulDB
Crawl4AI up to 0.8.6 Docker API hard-coded credentials (GHSA-365w-hqf6-vxfg / EUVD-2026-38170)
vuldb·2026-06-21·CVSS 9.8
CVE-2026-56265 [CRITICAL] Crawl4AI up to 0.8.6 Docker API hard-coded credentials (GHSA-365w-hqf6-vxfg / EUVD-2026-38170)
A vulnerability was found in Crawl4AI up to 0.8.6. It has been classified as critical. This issue affects some unknown processing of the component Docker API. The manipulation leads to hard-coded credentials.
This vulnerability is traded as CVE-2026-56265. It is possible to initiate the attack remotely. There is no exploit available.
Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-21
Published