Cyber Resilience

CVE-2026-2275

Critical

Published: 30 March 2026

Published
30 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0044 35.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2275 is a critical-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Crewai (inferred from references). Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2275 is a high-severity vulnerability in the CrewAI CodeInterpreter tool, published on 2026-03-30. The issue arises when the tool cannot connect to Docker and falls back to SandboxPython, allowing remote code execution (RCE) via arbitrary C function calling. It carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and maps to CWE-749 (Exposed Dangerous Method or Function).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity, though it requires user interaction. Exploitation enables high-impact compromise of confidentiality, integrity, and availability across the affected scope, culminating in arbitrary code execution on the host system through malicious input that triggers the fallback mechanism.

Mitigation guidance is available in the CrewAI documentation at https://docs.crewai.com/en/tools/ai-ml/codeinterpretertool and the CERT advisory at https://www.kb.cert.org/vuls/id/221883.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: crewai, function calling

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

RCE via fallback to SandboxPython enables client-side exploitation and Python command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-53964Shared CWE-749
CVE-2026-22812Shared CWE-749
CVE-2026-4051Shared CWE-749
CVE-2025-24359Shared CWE-749
CVE-2026-35488Shared CWE-749
CVE-2026-33583Shared CWE-749
CVE-2026-30921Shared CWE-749
CVE-2026-5173Shared CWE-749
CVE-2024-13242Shared CWE-749
CVE-2025-47366Shared CWE-749

Affected Assets

Crewai
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the flaw in CrewAI CodeInterpreter's fallback to SandboxPython that enables RCE via arbitrary C function calling.

prevent

Prohibits or restricts the vulnerable SandboxPython fallback mechanism, limiting the tool to essential secure capabilities like Docker.

prevent

Validates and restricts inputs to the CodeInterpreter tool to block malicious payloads exploiting arbitrary C function calls in the fallback.

References