{"id":"CVE-2026-26217","details":"Crawl4AI versions prior to 0.8.0 contain a local file inclusion vulnerability in the Docker API deployment. The /execute_js, /screenshot, /pdf, and /html endpoints accept file:// URLs, allowing unauthenticated remote attackers to read arbitrary files from the server filesystem. An attacker can access sensitive files such as /etc/passwd, /etc/shadow, application configuration files, and environment variables via /proc/self/environ, potentially exposing credentials, API keys, and internal application structure.","aliases":["GHSA-vx9w-5cx4-9796"],"modified":"2026-04-10T05:43:00.101862Z","published":"2026-02-12T16:16:17.620Z","references":[{"type":"ADVISORY","url":"https://github.com/unclecode/crawl4ai/blob/main/docs/blog/release-v0.8.0.md"},{"type":"ADVISORY","url":"https://github.com/unclecode/crawl4ai/security/advisories/GHSA-vx9w-5cx4-9796"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/crawl4ai-docker-api-local-file-inclusion-via-file-url-handling"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/unclecode/crawl4ai","events":[{"introduced":"0"},{"fixed":"a5354f267aeeb793bf26e6566a89aa8f1f33809e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.8.0"}]}}],"versions":["0.3.4","v.3.72","v0.0.75","v0.1.0","v0.2.0","v0.2.1","v0.2.4","v0.2.6","v0.2.7","v0.2.71","v0.2.72","v0.2.73","v0.2.74","v0.2.77","v0.3.0","v0.3.3","v0.3.6","v0.3.745","v0.4.24","v0.4.243","v0.5.0.post1","v0.6.3","v0.7.0","v0.7.1","v0.7.2","v0.7.3","v0.7.4","vr0.6.0","vr0.6.0rc1","vr0.6.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26217.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}