• Home
  • cyber
  • CrewAI: CrewAI Vulnerabilities Expose Devices to Hacking
cyber Vulnerability

CrewAI: CrewAI Vulnerabilities Expose Devices to Hacking

Mar 31, 2026 2 min read
CrewAI: CrewAI Vulnerabilities Expose Devices to Hacking

Critical Vulnerabilities in CrewAI Framework Enable Remote Code Execution and Data Theft

Security researcher Yarden Porat of Cyata has uncovered four critical vulnerabilities in CrewAI, an open-source Python-based framework for multi-agent AI orchestration. If chained together, these flaws could allow threat actors to execute arbitrary code, access sensitive files, and steal credentials from affected systems.

The vulnerabilities CVE-2026-2275, CVE-2026-2286, CVE-2026-2287, and CVE-2026-2285 stem from improper configurations and insecure fallback mechanisms in the Code Interpreter tool, which enables Python code execution within a Docker container. The first flaw (CVE-2026-2275) occurs when the tool defaults to an insecure SandboxPython environment if Docker is unavailable, allowing arbitrary C function calls if code execution is enabled in the agent’s configuration.

Exploiting this flaw can trigger the remaining vulnerabilities:

  • CVE-2026-2286: A server-side request forgery (SSRF) bug in RAG search tools, enabling attackers to access internal and cloud services due to improper URL validation.
  • CVE-2026-2287: A remote code execution (RCE) risk caused by CrewAI failing to verify Docker’s runtime status, falling back to an insecure sandbox.
  • CVE-2026-2285: An arbitrary file read issue in the JSON loader tool, allowing unauthorized access to local files due to unvalidated file paths.

Attackers could exploit these flaws through direct or indirect prompt injections, bypassing sandbox protections to execute code on the host machine or exfiltrate data. While no official patch has been released, CrewAI’s maintainers are developing mitigations, including blocking vulnerable modules, enforcing fail-closed configurations, and updating security documentation.

Temporary workarounds include disabling the Code Interpreter tool, restricting code execution flags, and applying input sanitization to limit exposure. The vulnerabilities highlight risks in AI agent frameworks, particularly when handling untrusted input.

Source: https://www.securityweek.com/crewai-vulnerabilities-expose-devices-to-hacking/

CrewAI cybersecurity rating report: https://www.rankiteo.com/company/crewai-inc

"id": "CRE1774967753",
"linkid": "crewai-inc",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'AI/Technology',
                        'name': 'CrewAI',
                        'type': 'Open-Source Framework'}],
 'attack_vector': ['Direct Prompt Injection', 'Indirect Prompt Injection'],
 'data_breach': {'data_exfiltration': 'Possible',
                 'type_of_data_compromised': ['Sensitive files',
                                              'Credentials']},
 'description': 'Security researcher Yarden Porat of Cyata has uncovered four '
                'critical vulnerabilities in CrewAI, an open-source '
                'Python-based framework for multi-agent AI orchestration. If '
                'chained together, these flaws could allow threat actors to '
                'execute arbitrary code, access sensitive files, and steal '
                'credentials from affected systems.',
 'impact': {'data_compromised': ['Sensitive files', 'Credentials'],
            'systems_affected': ['CrewAI Framework']},
 'lessons_learned': 'The vulnerabilities highlight risks in AI agent '
                    'frameworks, particularly when handling untrusted input.',
 'post_incident_analysis': {'corrective_actions': ['Blocking vulnerable '
                                                   'modules',
                                                   'Enforcing fail-closed '
                                                   'configurations',
                                                   'Updating security '
                                                   'documentation'],
                            'root_causes': ['Improper configurations',
                                            'Insecure fallback mechanisms',
                                            'Improper URL validation',
                                            'Unvalidated file paths']},
 'recommendations': ['Disable the Code Interpreter tool',
                     'Restrict code execution flags',
                     'Apply input sanitization',
                     'Block vulnerable modules',
                     'Enforce fail-closed configurations',
                     'Update security documentation'],
 'references': [{'source': 'Cyata (Yarden Porat)'}],
 'response': {'containment_measures': ['Disabling the Code Interpreter tool',
                                       'Restricting code execution flags',
                                       'Applying input sanitization'],
              'remediation_measures': ['Blocking vulnerable modules',
                                       'Enforcing fail-closed configurations',
                                       'Updating security documentation']},
 'title': 'Critical Vulnerabilities in CrewAI Framework Enable Remote Code '
          'Execution and Data Theft',
 'type': ['Remote Code Execution',
          'Data Theft',
          'Server-Side Request Forgery',
          'Arbitrary File Read'],
 'vulnerability_exploited': ['CVE-2026-2275',
                             'CVE-2026-2286',
                             'CVE-2026-2287',
                             'CVE-2026-2285']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.