Crawl4AI Critical RCE Sandbox Escape Guide 2026

Crawl4AI Critical RCE Sandbox Escape 2026: CVE-2026-53753 (CVSS 9.8) — Pre-Auth RCE via AST Sandbox Escape

Every Crawl4AI instance running version 0.8.6 or earlier with its default configuration is remotely exploitable with zero authentication. A single POST /crawl request carrying a crafted JsonCssExtractionStrategy schema is enough to escape the AST-based expression sandbox and execute arbitrary system commands inside the Docker container — no credentials, no prior access, no user interaction required. CVE-2026-53753 carries a CVSS 9.8 because the attack vector is network-based, the complexity is low, and the impact on confidentiality, integrity, and availability is total. The root cause is a three-line flaw in the _safe_eval_expression() function: an AST validator that only blocks attribute names starting with an underscore, missing Python internals like gi_frame, f_back, and f_builtins that expose the full interpreter to anyone who knows the class hierarchy. ...

June 25, 2026 · 9 min · baeseokjae