Aggregates CVE and security vulnerability intelligence across all crewai-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk ssrf and related security problems, affecting vendor surface software deployment and vendor surface production workloads scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-2287 | CrewAI does not properly check that Docker is still running during runtime, and will fall back to a sandbox setting that allows for RCE exploitation. | [email protected] | 9.8 | 0.69% | 2026-03-30 | 2026-06-17 |
| CVE-2026-2286 | CrewAI contains a server-side request forgery vulnerability that enables content acquisition from internal and cloud services, facilitated by the RAG search tools not properly validating URLs provided at runtime. | [email protected] | 9.8 | 0.47% | 2026-03-30 | 2026-06-17 |
| CVE-2026-2285 | CrewAI contains a arbitrary local file read vulnerability in the JSON loader tool that reads files without path validation, enabling access to files on the server. | [email protected] | 7.5 | 0.60% | 2026-03-30 | 2026-06-17 |