Crawl4AI just gave every exposed Docker instance full root. CVSS 9.8. Your agent's web scraper is the attack vector.

Crawl4AI versions 0.8.6 and below have a critical RCE vulnerability.

CVE-2026-53753. CVSS 9.8. No authentication required.

The `_safe_eval_expression()` function in computed fields uses an AST validator that blocks attributes starting with underscore.

Python generator frame attributes don't start with underscore.

gi_frame, f_back, f_builtins — all unblocked.

An attacker sends a single POST to /crawl with a crafted JsonCssExtractionStrategy schema. The expression creates a generator, walks the frame chain via f_back, reaches f_builtins containing the real `__import__`, imports os, and executes arbitrary commands inside your Docker container.

JWT is disabled by default. If you didn't set CRAWL4AI_API_TOKEN, you're wide open.

This isn't theoretical. CISA flagged active exploitation patterns in similar AST escape classes. The fix removes eval() entirely from the computed-field path. Expressions now log a warning and return the default.

Upgrade to 0.8.7 immediately. Enable JWT authentication. Restrict network access to the Docker API.

Audit every container running crawl4ai. If you're using it as a scraping tool for agent workflows, you just inherited a remote code execution primitive.