CrewAI Vulnerabilities Allow Attackers to Bypass Sandboxes and Compromise Systems

CrewAI, a widely used framework for orchestrating multi-agent AI systems, has been found vulnerable to a chain of critical security flaws that allow attackers to escape sandboxed environments and fully compromise the underlying host machine.

Security researcher Yarden Porat from Cyata discovered four vulnerabilities in the framework that expose it to remote code execution (RCE), server-side request forgery (SSRF), and arbitrary local file reads.

These flaws can be triggered through direct or indirect prompt injection, allowing malicious actors to manipulate AI agents into executing unauthorized actions.

The Four CVEs at a Glance

The vulnerabilities are tracked under the following identifiers:

• CVE-2026-2275 — The Code Interpreter Tool silently falls back to a vulnerable SandboxPython environment when Docker is unreachable, allowing attackers to execute arbitrary C function calls via ctypes.
• CVE-2026-2286 — An SSRF flaw in RAG search tools stems from missing URL validation at runtime, granting unauthorized access to internal networks and cloud metadata services.
• CVE-2026-2287 — CrewAI does not continuously verify Docker availability during execution. If Docker goes offline mid-session, the system silently reverts to an insecure sandbox mode vulnerable to RCE.
• CVE-2026-2285 — The JSON loader tool lacks file path validation, enabling threat actors to read sensitive files directly off the server’s filesystem.

The attack heavily relies on the Code Interpreter Tool being active within a CrewAI deployment. An attacker first uses prompt injection to hijack an AI agent.

From there, the impact depends on the host configuration.

On a Docker-enabled host, the attacker can achieve a sandbox escape. On hosts running in configuration or unsafe modes, the attacker can achieve full remote code execution, effectively taking complete control of the device.

Credential theft and lateral network movement are additional post-exploitation risks.

As of now, no complete patch exists for all four vulnerabilities.

The vendor has acknowledged the issues and plans to release updates that block unsafe modules ctypes and enforce fail-secure behavior instead of falling back to an open sandbox.

Until an official fix is released, administrators should take the following steps immediately:

• Disable the Code Interpreter Tool entirely and set allow_code_execution=True to go off unless absolutely required.
• Sanitize all untrusted agent inputs to prevent prompt injection attacks from reaching the agent’s execution layer.
• Strictly monitor Docker availability to prevent the framework from silently triggering vulnerable fallback sandbox modes.

Security teams running CrewAI in production environments should treat these vulnerabilities as critical-severity and apply mitigations without delay while awaiting vendor patches.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post CrewAI Vulnerabilities Allow Attackers to Bypass Sandboxes and Compromise Systems appeared first on Cyber Security News.