CVE-2026-56265

EPSS 0.43%
Veröffentlicht 21.06.2026 13:26:54
Zuletzt bearbeitet 26.06.2026 13:52:16
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

Crawl4AI - Authentication Bypass via Hardcoded JWT Signing Key

Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected functionality.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Kidocode ≫ Crawl4ai Version < 0.8.7

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.43%	0.341

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
disclosure@vulncheck.com	9.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
disclosure@vulncheck.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg

Vendor Advisory

Mitigation

https://github.com/unclecode/crawl4ai

Product

https://www.vulncheck.com/advisories/crawl4ai-authentication-bypass-via-hardcoded-jwt-signing-key

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-56265

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-56265

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-56265

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-56265