Crawl4AI - Authentication Bypass via Hardcoded JWT Signing Key

An attacker who knows the hardcoded default JWT signing key can craft a forged authentication token for any user identity. By presenting this forged token to the Docker API server, the attacker bypasses all authentication checks and gains full access to protected API endpoints. No prior authentication or network position beyond reachability of the Docker API is required. [CWE-798]

The Docker API server in Crawl4AI before version 0.8.7 uses a hardcoded default JWT signing key. This key is embedded in the server code that validates authentication tokens, allowing anyone who knows the default key to forge valid tokens.

The advisory states that version 0.8.7 is a 'Security-hardening release' that 'Fixes critical Docker API vulnerabilities (RCE, SSRF, auth bypass, file write, XSS, hardcoded JWT secret)'. The patch removes the hardcoded default JWT signing key and enforces that a unique, user-provided secret is used for token signing, preventing attackers from forging valid tokens without knowledge of the server-specific secret.