CVE-2026-26216

描述

A critical remote code execution vulnerability exists in the Crawl4AI Docker API deployment. The `/crawl` endpoint accepts a `hooks` parameter containing Python code that is executed using `exec()`. The `__import__` builtin was included in the allowed builtins, allowing attackers to import arbitrary modules and execute system commands. **Attack Vector:** ```json POST /crawl { "urls": ["https://example.com"], "hooks": { "code": { "on_page_context_created": "async def hook(page, context, **kwargs):\n __import__('os').system('malicious_command')\n return page" } } } ``` ### Impact An unauthenticated attacker can: - Execute arbitrary system commands - Read/write files on the server - Exfiltrate sensitive data (environment variables, API keys) - Pivot to internal network services - Completely compromise the server ### Mitigation 1. **Upgrade to v0.8.0** (recommended) 2. If unable to upgrade immediately: - Disable the Docker API - Block `/crawl` endpoint at network level - Add authentication to the API ### Fix Details 1. Removed `__import__` from `allowed_builtins` in `hook_manager.py` 2. Hooks disabled by default (`CRAWL4AI_HOOKS_ENABLED=false`) 3. Users must explicitly opt-in to enable hooks ### Credits Discovered by Neo by ProjectDiscovery (https://projectdiscovery.io)

受影響套件(2)

• PyPI/crawl4aifrom 0, < 0.8.0
• PyPI/crawl4aifrom 0, < 0.8.0

CVSS 分數

參考連結(7)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-26216
• PATCHhttps://github.com/unclecode/crawl4ai
• WEBhttps://github.com/unclecode/crawl4ai/blob/main/docs/blog/release-v0.8.0.md
• WEBhttps://github.com/unclecode/crawl4ai/blob/release/v0.8.0/docs/blog/release-v0.8.0.md
• WEBhttps://github.com/unclecode/crawl4ai/blob/release/v0.8.0/docs/migration/v0.8.0-upgrade-guide.md
• WEBhttps://github.com/unclecode/crawl4ai/security/advisories/GHSA-5882-5rx9-xgxp
• WEBhttps://www.vulncheck.com/advisories/crawl4ai-docker-api-unauthenticated-remote-code-execution-via-hooks-parameter