Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 14 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Kidocode
Kidocode crawl4ai |
|
| CPEs | cpe:2.3:a:kidocode:crawl4ai:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Kidocode
Kidocode crawl4ai |
Tue, 14 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Sun, 12 Jul 2026 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Crawl4ai
Crawl4ai crawl4ai |
|
| Vendors & Products |
Crawl4ai
Crawl4ai crawl4ai |
Sun, 12 Jul 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Crawl4AI before 0.8.8 contains credential exfiltration vulnerabilities in the Docker API server that allow attackers to redirect LLM API calls to attacker-controlled endpoints and read arbitrary environment variables. Attackers can exploit the unauthenticated /md, /llm, and /llm/job endpoints by supplying a malicious base_url parameter and setting api_token to env:VARIABLE_NAME to exfiltrate provider API keys and server secrets including JWT SECRET_KEY for authentication bypass. | |
| Title | Crawl4AI - LLM Credential Exfiltration via base_url and Environment Variable Resolution | |
| Weaknesses | CWE-200 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-14T21:34:08.713Z
Reserved: 2026-06-19T21:56:09.656Z
Link: CVE-2026-56259
Updated: 2026-07-14T14:10:25.798Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T12:45:06Z