GHSA-f989-c77f-r2cq: Crawl4AI: LLM credential exfiltration in Docker server via request base_url and env: token resolution
Summary
Crawl4AI's Docker API server had two security flaws that let attackers steal secrets. First, attackers could change where the server sent LLM (large language model) requests by controlling a `base_url` parameter, causing the server to send its API keys to an attacker's server. Second, attackers could read any environment variable (including passwords and secret keys) from the server by using the `env:` syntax in configuration, then combine this with the first flaw to steal those secrets. Since the Docker API required no authentication by default, anyone could exploit these flaws.
Solution / Mitigation
Upgrade to the patched version. The fix prevents request-supplied `base_url` values from being used (the server now only derives the endpoint from its configured provider name), and blocks `env:` resolution of environment variables with names containing SECRET, PASSWORD, PRIVATE, or prefixes like CRAWL4AI* and AWS_SECRET*, or specific names like SECRET_KEY, REDIS_PASSWORD, and TOKEN. As workarounds, enable authentication with `CRAWL4AI_API_TOKEN` or avoid storing sensitive secrets in the server environment alongside provider keys.
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://github.com/advisories/GHSA-f989-c77f-r2cq
First tracked: June 16, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%