Back

Multiple Vulnerabilities in CrewAI Enable RCE and SSRF Attacks

Severity: High (Score: 67.5)

Sources: Reddit, Kb.Cert

Summary

Four critical vulnerabilities have been discovered in CrewAI, a Python multi-agent framework, including CVE-2026-2275, CVE-2026-2286, CVE-2026-2287, and CVE-2026-2285. These vulnerabilities allow attackers to exploit the Code Interpreter Tool through prompt injection, leading to remote code execution (RCE), arbitrary local file read, and server-side request forgery (SSRF). The vulnerabilities stem from improper configurations and fallback behaviors when Docker is not available. Currently, there is no full patch released, and the CrewAI maintainers are working on mitigations. The attack vector requires only access to the CrewAI agent with the Code Interpreter Tool enabled, making it a significant risk for deployments. The vulnerabilities were published on 2026-03-30, and the situation remains critical as no CVSS scores have been assigned yet. Key Points: • Four CVEs in CrewAI allow for RCE and SSRF via prompt injection. • Attackers need access to the CrewAI agent with the Code Interpreter Tool enabled. • No full patch is available; mitigations are in progress.

Key Entities

  • Information Disclosure (attack_type)
  • Remote Code Execution (attack_type)
  • Server-Side Request Forgery (attack_type)
  • Zero-day Exploit (attack_type)
  • CVE-2026-2275 (cve)
  • CVE-2026-2285 (cve)
  • CVE-2026-2286 (cve)
  • CVE-2026-2287 (cve)
  • Docker (tool)
  • Python (tool)
  • Code Interpreter Tool (tool)
  • JSON Loader Tool (tool)
  • SandboxPython (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed