External risk intelligence

Crawl4AI Docker API Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-57572

The vulnerability resides in a Docker API server that is unauthenticated by default. Such interfaces, when exposed to the internet, provide direct, pre-authentication access to command execution, making them highly likely to be internet-facing in many common development or deployment environments.

Code Injection

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

The Crawl4AI open-source web crawler has a critical vulnerability that allows unauthenticated attackers to execute arbitrary commands within its Docker environment. This occurs because the Docker API server incorrectly processes specific arguments, enabling an attacker to inject malicious commands that run with the container's privileges. The issue is resolved in version 0.9.0.

  • Web crawler allows remote command execution.
  • Unauthenticated access to critical commands is a major risk.
  • Confirm if this crawler is used in your environment.

Attack Path

How an attacker could exploit the issue

An attacker could target the exposed Docker API, which is unauthenticated by default, to manipulate the web crawler's configuration. By injecting specific arguments into the browser configuration, an attacker can trick the crawler into executing arbitrary commands on the system running the crawler. This can lead to the complete compromise of the container.

  • No authentication needed to access API.
  • Inject arguments to control commands.
  • Arbitrary command execution within container.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker could execute arbitrary commands within the container running Crawl4AI by sending a specially crafted request to the Docker API server. This could allow them to control the container's runtime and potentially compromise the host system when the Docker API is exposed externally without authentication.

  • Container runtime and host system.
  • Sending a malicious request to an exposed API.
  • Arbitrary command execution within the container.

Operational Fix

Recommended remediation, mitigation, and detection steps

The default unauthenticated Docker API in Crawl4AI enables unauthenticated attackers to achieve arbitrary command execution within the container. Owners of deployments utilizing this software should first identify all instances of Crawl4AI, confirm their network exposure and business criticality, and then assign responsibility for remediation. This will involve coordinating with the platform or application teams responsible for the deployment to plan and execute the upgrade to a patched version.

  • Platform or application team owns.
  • Verify network exposure and business criticality.
  • Plan and execute upgrade to version 0.9.0.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Crawl4AI?

Crawl4AI is an open-source tool designed to scrape and crawl web content, specifically optimized to make website data accessible to large language models. It runs within a Docker container and uses Chromium to render pages. Developers often use it to automate data collection tasks.

What does CVE-2026-57572 mean by command injection?

This vulnerability, classified as CWE-88 and CWE-94, allows an attacker to manipulate the browser settings used by Crawl4AI. By injecting malicious commands into the browser configuration, an attacker can trick the system into running unauthorized code instead of standard scraping commands. Essentially, the software inadvertently treats attacker-supplied data as executable instructions.

How is this Crawl4AI vulnerability triggered?

The flaw is triggered by sending a request to the Crawl4AI Docker API that includes specifically crafted browser arguments. Because the API does not authenticate requests, anyone who can reach the API service can send these instructions. Importantly, this attack is not triggered by standard web scraping activities or normal user interactions; it requires specific, malicious input designed to override the intended container command.

Is my Crawl4AI instance at risk?

According to Halo Surface Signal, this vulnerability is particularly relevant if your Docker API interface is accessible from the internet. Because the API lacks default authentication, any instance exposed to a public network is highly likely to be targeted for remote command execution. Internal instances remain a concern, but internet-facing deployments are the primary focus for immediate risk.

Do I need to update Crawl4AI?

Yes, you should update to version 0.9.0 or later to resolve this issue. If you use this software, start by identifying where it is deployed in your environment and check if its API is reachable over the network. Once located, coordinate with your technical team to apply the update, as this version contains the necessary fixes to prevent unauthorized command execution.

References