189/69 Thursday, April 2, 2026
Four security vulnerabilities have been discovered in CrewAI, an open-source Python framework for managing AI multi-agent systems. These flaws could enable a range of attacks, including remote code execution (RCE). The primary issue originates from the Code Interpreter component, which is designed to safely execute Python code inside a Docker container. However, vulnerability CVE-2026-2275 arises when the system cannot access Docker and falls back to using SandboxPython instead. If code execution is enabled, this fallback can allow attackers to execute arbitrary code through C function calls, as outlined by CERT/CC.
Attackers can chain this vulnerability with three additional issues caused by insecure default configurations. CVE-2026-2286 is a Server-Side Request Forgery (SSRF) vulnerability in the RAG search tool, allowing access to internal services and cloud resources. CVE-2026-2287 occurs when the system fails to verify Docker availability at runtime and switches to an insecure sandbox mode, enabling remote code execution. CVE-2026-2285 is a file read vulnerability in the JSON loader, which lacks proper path validation and allows access to arbitrary files on the server. These vulnerabilities can be exploited together using both direct and indirect prompt injection techniques to manipulate AI agents and execute malicious actions.
The potential impact includes sandbox escape, execution of code on the host machine, unauthorized file access, and credential theft. Although a complete patch is not yet available, the CrewAI development team is actively working on mitigations, including disabling vulnerable modules, improving alerting mechanisms, and preventing fallback to insecure modes. As interim mitigation measures, organizations are advised to restrict or disable the Code Interpreter, turn off code execution features if not required, validate and sanitize all inputs, and prevent fallback to insecure sandbox environments.
Source https://www.securityweek.com/crewai-vulnerabilities-expose-devices-to-hacking/