Skip to main content

CISA updates CrewAI alert on SSRF, RCE, and file read

March 30, 2026

CrewAI has four vulnerabilities that include remote code execution, arbitrary local file read, and server-side request forgery. The highest-level impact described is the ability for an attacker to chain the issues to achieve sandbox bypass and remote code execution, depending on host configuration.

CVE-2026-2275 originates from the CrewAI CodeInterpreter tool. The tool falls back to SandboxPython when it cannot reach Docker, which can enable code execution through arbitrary C function calls. This issue can be triggered if allow_code_execution=True is enabled in the agent configuration, or if the Code Interpreter Tool is manually added to the agent by the developer. CVE-2026-2286 is an SSRF issue that enables content acquisition from internal and cloud services, facilitated by Retrieval Augmented Generation (RAG) search tools not properly validating URLs provided at runtime. CVE-2026-2287 occurs when CrewAI does not properly check that Docker is still running during runtime, and it will fall back to a sandbox setting that allows for Reinforcement Coordination Engine (RCE) exploitation. CVE-2026-2285 is an arbitrary local file read vulnerability in the JSON loader tool that reads files without path validation, enabling access to files on the server.

With the ability to influence a CrewAI agent using the Code Interpreter Tool through direct or indirect prompt injection, an attacker can use the four vulnerabilities to perform arbitrary file read, RCE, and server-side request forgery. The results vary based on whether the host machine is using Docker, or is in configuration mode or unsafe mode. The advisory states the attacker will achieve sandbox bypass and RCE/file read if the host machine is using Docker, or full RCE if the host machine is in configuration mode or unsafe mode. It also states that arbitrary file read and SSRF can be used for credential theft, while RCE can be used for further leveraging of the compromised device.

During coordinated disclosure, the vendor provided a statement addressing CVE-2026-2275 and CVE-2026-2287. The vendor indicated plans to add ctypes and related modules to BLOCKED_MODULES in an upcoming release, evaluate configuration changes to fail closed rather than fall back to sandbox mode, provide clearer runtime warnings when sandbox mode is active, and improve security-related documentation. At the time of writing, no complete patch was available for all disclosed vulnerabilities.

Until fixes are released, the guidance provided is to remove or restrict or disable the Code Interpreter Tool wherever possible, remove (or avoid) enabling allow_code_execution=True unless absolutely necessary, limit the agent exposure to untrusted input or sanitize input as appropriate, and monitor Docker availability to prevent fallback to insecure sandbox modes. The vendor guidance and actions described are limited to the items stated in the advisory.