CrewAI Vulnerabilities Expose Devices to Hacking

Summary

Security researcher Yarden Porat discovered four vulnerabilities in the open-source CrewAI framework that can be chained together to achieve remote code execution and sandbox escape. The bugs stem from improper fallback behavior when Docker is unavailable, insecure default configurations, and insufficient input validation. Attackers can exploit these flaws through prompt injection to execute arbitrary Python code, read files, or perform server-side request forgery attacks on systems running CrewAI agents.

Full text

Threat actors can chain four vulnerabilities in CrewAI to perform various types of attacks, including remote code execution. An open source multi-agent orchestration framework based on Python, CrewAI supports the creation of multi-agent AI systems that collaborate in completing specific tasks and workflows defined by developers. The four issues, discovered by Yarden Porat of Cyata, are dependent on the use of the Code Interpreter tool, which enables users to execute Python code within a secure Docker container. The first of the bugs, tracked as CVE-2026-2275, exists because the Code Interpreter tool falls back to SandboxPython when unable to access Docker. If a flag that enables code execution is set in the agent configuration, or if a developer manually adds the Code Interpreter tool, this behavior could lead to code execution through arbitrary C function calls, a CERT/CC advisory explains. Successful exploitation of the CVE could allow attackers to trigger the other three flaws, which are caused by improper default configuration settings.Advertisement. Scroll to continue reading. One of them, CVE-2026-2286, is described as a server-side request forgery (SSRF) bug that allows attackers to retrieve content from internal and cloud services. It exists because the RAG search tools fail to properly validate URLs provided at runtime. Next is CVE-2026-2287, a bug caused by CrewAI failing to properly check if Docker is still running at runtime and falling back to a sandbox setting that enables remote code execution. Finally, CVE-2026-2285 is an arbitrary local file read defect impacting the JSON loader tool, which does not validate paths when reading files, enabling access to arbitrary files on the server. An attacker could chain the four issues by influencing a CrewAI agent that uses the Code Interpreter tool, through either direct or indirect prompt injections. Successful exploitation of the security defects could allow attackers to escape the sandbox and execute code on the host machine or read files from its file system. The bugs could also be exploited to steal credentials. While no patch has been released to fully address the vulnerabilities, CrewAI’s maintainers are working on solutions to address them through the blocking of certain modules, configuration changes to fail closed instead of falling back, clearer runtime warnings, and updated security-related documentation. Removing or restricting the Code Interpreter tool, disabling the code execution flag unless necessary, limiting agent exposure to untrusted input and applying input sanitization, and preventing fallback to insecure sandbox modes should mitigate the bugs. Related: Exploitation of Critical Fortinet FortiClient EMS Flaw Begins Related: StrongSwan Flaw Allows Unauthenticated Attackers to Crash VPNs Related: Oracle Releases Emergency Patch for Critical Identity Manager Vulnerability Related: Critical ScreenConnect Vulnerability Exposes Machine Keys Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Huskeys Emerges From Stealth With $8 Million in FundingRussian APT Star Blizzard Adopts DarkSword iOS Exploit KitTelnyx Targeted in Growing TeamPCP Supply Chain AttackExploitation of Fresh Citrix NetScaler Vulnerability BeginsF5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the WildCloudflare-Themed ClickFix Attack Drops Infiniti Stealer on MacsOpenAI Launches Bug Bounty Program for Abuse and Safety RisksTP-Link Patches High-Severity Router Vulnerabilities Latest News TeamPCP Moves From OSS to AWS EnvironmentsGoogle Slashes Quantum Resource Requirements for Breaking Cryptocurrency EncryptionExploitation of Critical Fortinet FortiClient EMS Flaw BeginsStrongSwan Flaw Allows Unauthenticated Attackers to Crash VPNsLloyds Data Security Incident Impacts 450,000 IndividualsCritical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise Healthcare IT Platform CareCloud Probing Potential Data BreachSilent Drift: How LLMs Are Quietly Breaking Organizational Access Control Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveModerna has promoted Farzan Karimi to Deputy Chief Information Security Officer.Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.More People On The MoveExpert Insights Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-2275
• cve — CVE-2026-2286
• cve — CVE-2026-2287
• cve — CVE-2026-2285
• malware — CrewAI Code Interpreter Tool