Crawl4AI maintainers and vulnerability databases warn that versions before 0.8.8 allowed unauthenticated Docker API requests to redirect LLM calls and resolve environment-variable tokens, potentially exposing provider API keys and server secrets. Users of the Docker server are advised to upgrade to 0.8.8.
Crawl4AI maintainers disclosed a Docker server vulnerability that could let unauthenticated attackers exfiltrate LLM credentials and other environment-stored secrets in versions before 0.8.8.
The GitHub Advisory Database entry published by the Crawl4AI maintainers describes a credential exfiltration issue in the project’s Docker API server. According to the advisory, affected versions allowed unauthenticated requests to control the base_url used for LLM API calls and to trigger env: token resolution, creating a path for secrets to be sent to attacker-controlled endpoints.
VulnCheck tracks the issue as CVE-2026-56259 and lists Crawl4AI versions greater than or equal to 0 and earlier than 0.8.8 as affected. The National Vulnerability Database also records CVE-2026-56259 as a high-severity issue affecting Crawl4AI before 0.8.8.
According to VulnCheck, the vulnerable Docker API endpoints include /md, /llm, and /llm/job. An attacker could send unauthenticated requests that specify a malicious base_url, causing LLM API traffic to be directed to an endpoint the attacker controls.
The same advisory says attackers could set api_token to a value such as env:VARIABLE_NAME. In vulnerable versions, the server would resolve that environment variable and use its value as the API token. If the request also supplied an attacker-controlled base_url, the resolved secret could be sent outside the server.
The Crawl4AI GitHub advisory says this behavior could expose provider API keys and server secrets. VulnCheck specifically notes that the technique could be used to read arbitrary environment variables, including secrets such as a JWT SECRET_KEY, depending on what was present in the deployment environment.
Many LLM-enabled applications store provider credentials in environment variables, including API keys for model providers and secrets used by local services. The advisories indicate that Crawl4AI’s vulnerable Docker server combined two risky behaviors: allowing remote control over the destination of LLM requests and resolving tokens from environment variables based on request input.
That combination matters because credential exposure does not require a direct read of configuration files. As described by the GitHub advisory and VulnCheck, an attacker could cause the application itself to resolve a secret and transmit it as part of an outbound request.
The issue is especially relevant for deployments that expose the Docker API server to untrusted networks. The sources describe the affected endpoints as unauthenticated, meaning exploitation does not depend on a valid user account if the service is reachable.
Crawl4AI version 0.8.8 contains the fix. The PyPI release page for Crawl4AI 0.8.8 states that the release includes a Docker server security patch that stops LLM credential exfiltration through request-controlled base_url handling and advises Docker server users to upgrade.
Administrators running Crawl4AI’s Docker server should upgrade to version 0.8.8 or later, according to the project’s release guidance. Teams should also review whether the Docker API server has been exposed beyond trusted networks and rotate any LLM provider keys or server secrets that may have been available in environment variables on affected deployments.
Because the advisories identify possible exposure of authentication-related secrets, operators should consider rotating JWT signing secrets or equivalent server keys where those values were stored in the affected environment. Any such rotation should be paired with a review of application logs and outbound network records for unexpected requests to unfamiliar LLM API endpoints.
This report is based on the Crawl4AI GitHub Security Advisory GHSA-f989-c77f-r2cq, VulnCheck’s advisory for CVE-2026-56259, the National Vulnerability Database entry for CVE-2026-56259, and the Crawl4AI 0.8.8 release page on the Python Package Index.
Crawl4AI maintainers disclosed a Docker server vulnerability that could let unauthenticated attackers exfiltrate LLM credentials and other environment stored secrets in versions before 0.8.8.
What was disclosed The GitHub Advisory Database entry published by the Crawl4AI maintainers describes a credential exfiltration issue in the project’s Docker API server.
VulnCheck tracks the issue as CVE 2026 56259 and lists Crawl4AI versions greater than or equal to 0 and earlier than 0.8.8 as affected.
Continue reading