Researchers found four chained vulnerabilities in the open-source Python multi-agent framework CrewAI that can be exploited—via the Code Interpreter and its SandboxPython fallback—to escape sandboxes, execute arbitrary code, perform SSRF, and read local files. CrewAI maintainers are working on mitigations including blocking risky modules, changing defaults to fail closed, clearer runtime warnings, and guidance to remove or restrict the Code Interpreter and harden agent configurations. #CrewAI #CVE-2026-2275
Keypoints
- Four CrewAI vulnerabilities can be chained to escape the sandbox and execute code on the host.
- CVE-2026-2275: the Code Interpreter falls back to SandboxPython when Docker is unavailable, enabling arbitrary C function calls.
- CVE-2026-2286: RAG search tools fail to validate runtime URLs, allowing SSRF to access internal and cloud services.
- CVE-2026-2287 and CVE-2026-2285: improper Docker runtime checks and an insecure JSON loader enable remote code execution and arbitrary local file reads.
- Attackers can influence agents via direct or indirect prompt injection to trigger the chain and potentially steal credentials.
Read More: https://www.securityweek.com/crewai-vulnerabilities-expose-devices-to-hacking/