CVE-2026-53753: Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API

June 16, 2026

The _safe_eval_expression() function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes (gi_frame, f_back, f_builtins) do NOT start with underscore, enabling a complete sandbox escape to achieve arbitrary code execution.

The attack requires no authentication (JWT disabled by default) and is triggered via POST /crawl with a crafted extraction schema.

References

github.com/advisories/GHSA-qxjp-w3pj-48m7
github.com/unclecode/crawl4ai/pull/1855
github.com/unclecode/crawl4ai/pull/1886
github.com/unclecode/crawl4ai/security/advisories/GHSA-qxjp-w3pj-48m7
nvd.nist.gov/vuln/detail/CVE-2026-53753

Code Behaviors & Features

Detect and mitigate CVE-2026-53753 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →