PatchSiren cyber security CVE debrief
CVE-2026-57572 unclecode CVE debrief
CVE-2026-57572 is a critical vulnerability in Crawl4AI's Docker API server. Prior to version 0.9.0, the server accepted request-supplied browser_config.extra_args, which flowed into Chromium's launch arguments. An attacker could inject Chromium switches that replace a child-process launch command together with --no-zygote, causing Chromium to fork or exec an attacker-controlled command as the container's runtime user. The Docker API is unauthenticated by default, so a single request yields arbitrary command execution. This issue is fixed in version 0.9.0.
- Vendor
- unclecode
- Product
- crawl4ai
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Users of Crawl4AI, especially those using versions prior to 0.9.0, should be aware of this critical vulnerability. The unauthenticated nature of the Docker API by default makes it a high-risk issue for potential exploitation.
Technical summary
The vulnerability exists in the Crawl4AI Docker API server's handling of browser_config.extra_args. This parameter was not properly sanitized, allowing an attacker to inject malicious Chromium switches. Specifically, an attacker could inject switches that, in combination with --no-zygote, would allow Chromium to execute an attacker-controlled command as the container's runtime user. This is particularly dangerous as the Docker API is unauthenticated by default, requiring only a single request to achieve arbitrary command execution on the system.
Defensive priority
High
Recommended defensive actions
- Upgrade Crawl4AI to version 0.9.0 or later
- Authenticate the Docker API
- Restrict access to the Docker API
- Monitor for suspicious activity
- Inventory and patch vulnerable systems
Evidence notes
The CVE record and NVD detail provide information on the vulnerability. The vendor has released a patch in version 0.9.0. Users should verify their systems are updated and consider compensating controls.
Official resources
-
CVE-2026-57572 CVE record
CVE.org
-
CVE-2026-57572 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T21:16:58.047Z and has not been modified since then. The NVD entry is currently Analyzed.