THREAT actors can chain four vulnerabilities in CrewAI to perform various types of attacks, including remote code execution, according to the article. The flaws, identified as CVE-2026-2275, CVE-2026-2286, CVE-2026-2287 and CVE-2026-2285, arise from how the Code Interpreter tool and sandboxing interact with Docker and runtime URL validation, as described in a CERT/CC advisory.
One bug enables code execution via arbitrary C function calls when a code execution flag is set or the Code Interpreter tool is added, while another allows server-side request forgery to retrieve content from internal and cloud services. A third bug concerns checks for Docker running at runtime, and the fourth involves an arbitrary local file read defect in the JSON loader that bypasses path validation.
The article notes there is no patch yet, and suggests mitigations such as removing or restricting the Code Interpreter tool, disabling the code execution flag unless needed, limiting exposure to untrusted input, and failing closed rather than falling back to insecure sandbox modes. 31 March 2026.