Critical CrewAI Vulnerabilities Allow RCE and Sandbox Escapes via Prompt Injection
Ddos 
The rapidly growing field of multi-agent AI systems has hit a significant security speed bump. A new vulnerability note from CERT/CC has detailed four distinct security flaws within CrewAI, a popular framework used to build and orchestrate autonomous AI agents. These vulnerabilities—ranging from Remote Code Execution (RCE) to Server-Side Request Forgery (SSRF)—could allow an attacker to completely bypass sandboxes and compromise host systems.
At the heart of the issue is how CrewAI handles its Code Interpreter Tool, which is designed to execute Python code within a secure Docker container. However, researchers found that the system’s “insecure fallback behaviors” create a dangerous opening.Specifically, CVE-2026-2275 and CVE-2026-2287 highlight a failure in environment validation. According to the note:
“The CrewAl CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable code execution through arbitrary C function calls”.
Furthermore, the system “does not properly check that Docker is still running during runtime,” automatically reverting to a sandbox setting that remains “vulnerable to RCE exploitation”.
Beyond code execution, the report identifies two other critical flaws that expand an attacker’s reach:
- CVE-2026-2286 (SSRF): This flaw allows for “content acquisition from internal and cloud services” because RAG (Retrieval-Augmented Generation) search tools fail to validate URLs provided at runtime.
- CVE-2026-2285 (Local File Read): The JSON loader tool reads files without proper path validation, “enabling access to files on the server”.
By utilizing direct or indirect prompt injection, an attacker can influence an agent to chain these vulnerabilities together. This can lead to “credential theft” via SSRF or “full RCE if the host machine is in configuration mode or unsafe mode”.
The vendor has addressed some of these concerns, indicating plans to block dangerous modules like ctypes and evaluating changes so the system will “fail closed rather than fall back to sandbox mode”.
However, the report warns that “at the time of writing, no complete patch is available for all disclosed vulnerabilities”. Until a comprehensive fix is released, organizations using CrewAI are advised to take the following precautions:
- Restrict Tools: Remove or disable the Code Interpreter Tool whenever possible.
- Change Settings: Avoid enabling the allow_code_execution=True setting unless it is absolutely necessary for operations.
- Sanitize Inputs: Limit agent exposure to untrusted inputs to prevent prompt injection attempts.
- Monitor Docker: Ensure Docker is consistently available to “prevent fallback to insecure sandbox modes”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
