CVE-2026-56265 (CVSS 9.8) — Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentica

A critical vulnerability has been published under CVE-2026-56265, affecting Crawl4AI versions prior to 0.8.7. The flaw carries a CVSS score of 9.8, indicating severe risk. It involves an authentication bypass due to a hardcoded default JWT signing key in the Docker API server. Any attacker aware of this default key can forge valid authentication tokens, potentially gaining unauthorized access to the system. This issue was published on June 21, 2026, and falls under the EU Cyber Resilience Act framework due to its impact on software supply chain security.

Organizations using Crawl4AI in Dockerized environments are directly affected, particularly those in sectors handling sensitive data such as finance, healthcare, and critical infrastructure. Any entity deploying Crawl4AI as part of an AI or data extraction pipeline should treat this as a high-priority incident. The vulnerability could allow remote attackers to compromise system integrity and confidentiality without any prior authentication.

Compliance teams should immediately verify the version of Crawl4AI in use and upgrade to version 0.8.7 or later. If immediate patching is not possible, isolate affected Docker containers from external networks and review access logs for signs of exploitation. Under the CRA, this may also require notification to relevant national authorities if personal data or critical services are involved. Update your software bill of materials and incident response playbooks accordingly.