CVE-2026-53753

Crawl4AI AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE

Initial Access Execution Privilege Escalation Last updated:

Detects exploitation of CVE-2026-53753, a critical pre-authentication remote code execution vulnerability in Crawl4AI (<=0.8.6) Docker API. The vulnerability allows attackers to escape Python AST-based sandboxing via generator frame introspection (gi_frame.f_back chain), enabling arbitrary code execution without authentication. CVSS 9.8 critical; public PoC available.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
pip
Product
crawl4ai
Versions
<= 0.8.6

Weakness (CWE)

CWE-94CWE-913

Timeline

Disclosed
June 16, 2026

CVSS

9.8
Critical (9.0–10)
Read the write-up →

What is CVE-2026-53753 Crawl4AI AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE?

Crawl4AI AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE (CVE-2026-53753) maps to the Initial Access and Execution and Privilege Escalation tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Crawl4AI AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE, covering the data sources and telemetry it touches: DeviceNetworkEvents, DeviceProcessEvents, CommonSecurityLog. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation
Microsoft Sentinel / Defender
kusto 
union DeviceNetworkEvents, CommonSecurityLog
| where TimeGenerated > ago(24h)
| where (RequestURL has "/execute" or RequestURL has "/run" or RequestURL has "/crawl") and (RequestURL has "crawl4ai" or DestinationPort in (11235, 8080, 8000))
| join kind=leftouter (
    DeviceProcessEvents
    | where TimeGenerated > ago(24h)
    | where InitiatingProcessFileName in~ ("python3", "python", "uvicorn", "gunicorn")
    | where ProcessCommandLine has_any ("gi_frame", "f_back", "__globals__", "__builtins__", "os.system", "subprocess", "__import__")
    | project DeviceId, ProcessCommandLine, InitiatingProcessCommandLine, Timestamp
) on DeviceId
| where isnotempty(ProcessCommandLine)
| project TimeGenerated, DeviceId, DeviceName, RequestURL, ProcessCommandLine, InitiatingProcessCommandLine
| extend AlertReason = "Crawl4AI sandbox escape pattern detected via AST frame introspection"

Detects HTTP requests to Crawl4AI API endpoints correlated with Python process execution containing sandbox escape patterns (gi_frame, f_back, __globals__, __builtins__) characteristic of CVE-2026-53753 exploitation.

critical severity high confidence

Data Sources

DeviceNetworkEvents DeviceProcessEvents CommonSecurityLog

Required Tables

DeviceNetworkEvents DeviceProcessEvents CommonSecurityLog

False Positives

  • Legitimate Python debugging tools that inspect generator frames during development
  • Security researchers performing authorized penetration testing against Crawl4AI instances
  • Internal automation scripts that legitimately call Crawl4AI API endpoints
  • Container health checks or monitoring agents polling Crawl4AI service endpoints

Sigma rule & cross-platform mapping

The detection logic for Crawl4AI AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE (CVE-2026-53753) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-53753 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-53753

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-23 Research depth: standard
References (4)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-53753 Basic Sandbox Escape via gi_frame

    Expected signal: HTTP POST to /execute endpoint followed by Python process executing os.system('id') and writing to /tmp/crawl4ai_pwned.txt; child process of uvicorn/gunicorn spawning /bin/sh

  2. Test 2CVE-2026-53753 Remote Code Execution with Reverse Shell

    Expected signal: Outbound TCP connection from Crawl4AI container to attacker IP on port 4444; subprocess.Popen spawning bash with stdin redirected to network socket

  3. Test 3CVE-2026-53753 Credential Exfiltration from Container Environment

    Expected signal: HTTP POST with gi_frame payload followed by Python reading os.environ; response containing environment variable key-value pairs potentially including API_KEY, DATABASE_URL, VAULT_TOKEN

  4. Test 4CVE-2026-53753 Unauthenticated Version Fingerprinting

    Expected signal: Unauthenticated HTTP GET to /health or root endpoint returning Crawl4AI version information without requiring credentials

Unlock Pro Content

Get the full detection package for CVE-2026-53753 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0004Privilege Escalation

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.006PythonT1611Escape to HostT1552.001Credentials In Files

Same Tactic: Initial Access

Popular Detections