CVE-2026-53753

CRITICAL LAB

Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-53753. PoCs published by thecodeb0ss, 0xEnc0der, BiiTts.

AI-analyzed exploit summary The repository contains no actual exploit code, technical details, or vulnerability analysis. It uses vague language and directs users to an external Telegram channel for the PoC, which is a common social engineering tactic to lure researchers into malicious or monetized content.

Description

Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.7, the _safe_eval_expression() function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes (gi_frame, f_back, f_builtins) do NOT start with underscore, enabling a complete sandbox escape to achieve arbitrary code execution. The attack requires no authentication (JWT disabled by default) and is triggered via POST /crawl with a crafted extraction schema. This vulnerability is fixed in 0.8.7.

Exploits (3)

github SUSPICIOUS
by thecodeb0ss · poc
https://github.com/thecodeb0ss/Advanced-CVE-2026-53753

The repository contains no actual exploit code, technical details, or vulnerability analysis. It uses vague language and directs users to an external Telegram channel for the PoC, which is a common social engineering tactic to lure researchers into malicious or monetized content.

Classification
Suspicious 98%
No auth needed
mistral-large-3 · analyzed Jul 03, 2026 Full analysis →
nomisec WORKING POC
by 0xEnc0der · poc
https://github.com/0xEnc0der/CVE-2026-53753

This repository contains a functional exploit for CVE-2026-53753, targeting Crawl4AI <= 0.8.6. The exploit leverages an AST sandbox escape via generator frame manipulation to achieve pre-authentication remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Crawl4AI <= 0.8.6
No auth needed
Prerequisites: Network access to the target Crawl4AI instance
mistral-large-3 · analyzed Jul 02, 2026 Full analysis →
github WORKING POC
by BiiTts · pythonpoc
https://github.com/BiiTts/CVE-2026-53753-Crawl4AI-RCE

This repository contains a functional exploit for CVE-2026-53753, demonstrating an unauthenticated remote code execution (RCE) vulnerability in Crawl4AI < 0.8.7. The exploit leverages an AST sandbox escape in the `_safe_eval_expression()` function by walking the frame chain to access the real builtins and execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Crawl4AI < 0.8.7
No auth needed
Prerequisites: Network access to the target server · Crawl4AI service running with default configuration (JWT disabled)
mistral-large-3 · analyzed Jun 30, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.0045
EPSS Percentile 36.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull unclecode/crawl4ai:0.8.6

Details

CWE
CWE-913 CWE-94
Status published
Products (2)
kidocode/crawl4ai < 0.8.7
unclecode/crawl4ai < 0.8.7
Published Jun 23, 2026
Tracked Since Jun 24, 2026