VU#221883: CrewAI contains multiple vulnerabilities including SSRF, RCE and local file read
CrewAI, a tool for building multi-agent AI systems, suffers from four critical vulnerabilities. These vulnerabilities include remote code execution (RCE), arbitrary local file read, and server-side request forgery (SSRF). CVE-2026-2275, specifically, exploits the Code Interpreter Tool within CrewAI. The other vulnerabilities arise from insecure default configurations in the main agent and associated Docker images. An attacker can exploit these issues through prompt injection if they can interact with a CrewAI agent utilizing the Code Interpreter Tool. These vulnerabilities can be chained together for a greater impact. CVE-2026-2275 involves fallback to SandboxPython, leading to code execution via arbitrary C function calls. Improperly validated URLs in RAG search tools within CrewAI lead to a server-side request forgery (SSRF) vulnerability. CrewAI's failure to verify Docker's runtime status also contributes to RCE via sandbox fallbacks. An arbitrary local file read vulnerability exists within the JSON loader tool due to a lack of path validation. Exploitation allows for credential theft or further device compromise. The vendor has addressed some vulnerabilities but a complete patch is not available yet.