Summary
CVE-2026-57573 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in the Crawl4AI Docker API server, affecting all versions prior to 0.9.0. A remote unauthenticated attacker can exploit the streaming crawl endpoint to force the server to fetch arbitrary internal, private, or link-local URLs and stream the response body back — with no authentication or user interaction required. The vulnerability is rated CVSS 8.6 (HIGH) with Scope Changed and Confidentiality High.
Technical details
- Root cause: The
handle_stream_crawl_requestfunction passed seed URLs directly to the crawler without invoking thevalidate_url_destinationcheck that was applied to the non-streaming/crawlendpoint, leaving the streaming path entirely unprotected against SSRF destinations. - Trigger conditions: An unauthenticated remote client sends a single HTTP POST to
POST /crawl/stream, or toPOST /crawlwithcrawler_config.stream=true, supplying an internal, private, or link-local address (e.g.169.254.169.254) as the target URL. - Attack vector: Network-accessible with no authentication required; the Docker API server runs without authentication by default on all versions prior to 0.9.0, and no user interaction is needed.
- Impact: The server fetches the attacker-supplied URL and streams the full response body back to the caller. This enables unauthorised access to cloud instance metadata endpoints, internal services, and other link-local or RFC-1918 resources beyond the application’s own security boundary — facilitating credential theft, internal network reconnaissance, and lateral movement.
Affected software
- Crawl4AI Docker API server, all versions prior to 0.9.0 (≤ 0.8.9)
Severity
- CVSS v3.1 Base Score: 8.6 (HIGH)
- Vector string:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Mitigation and recommended actions
- Immediate: Upgrade Crawl4AI to version 0.9.0 or later. Version 0.9.0 closes the missing destination-validation gap on the streaming path and additionally enables API authentication by default.
- If immediate patching is not possible: Restrict network-level access to the Crawl4AI Docker API port via firewall rules so only trusted hosts can reach the service. Apply egress firewall controls on the container to block outbound connections to private (RFC-1918), link-local (169.254.0.0/16), and loopback address ranges.
IONIX Status
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

