CVE-2026-2275
Published: 30 March 2026
Summary
CVE-2026-2275 is a critical-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Crewai (inferred from references). Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-2275 is a high-severity vulnerability in the CrewAI CodeInterpreter tool, published on 2026-03-30. The issue arises when the tool cannot connect to Docker and falls back to SandboxPython, allowing remote code execution (RCE) via arbitrary C function calling. It carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and maps to CWE-749 (Exposed Dangerous Method or Function).
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity, though it requires user interaction. Exploitation enables high-impact compromise of confidentiality, integrity, and availability across the affected scope, culminating in arbitrary code execution on the host system through malicious input that triggers the fallback mechanism.
Mitigation guidance is available in the CrewAI documentation at https://docs.crewai.com/en/tools/ai-ml/codeinterpretertool and the CERT advisory at https://www.kb.cert.org/vuls/id/221883.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17117
Vulnerability details
The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: crewai, function calling
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via fallback to SandboxPython enables client-side exploitation and Python command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the flaw in CrewAI CodeInterpreter's fallback to SandboxPython that enables RCE via arbitrary C function calling.
Prohibits or restricts the vulnerable SandboxPython fallback mechanism, limiting the tool to essential secure capabilities like Docker.
Validates and restricts inputs to the CodeInterpreter tool to block malicious payloads exploiting arbitrary C function calls in the fallback.