Cyber Resilience

CVE-2026-2286

Critical

Published: 30 March 2026

Published
30 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0047 36.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2286 is a critical-severity SSRF (CWE-918) vulnerability in Crewai Crewai. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2286 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting the CrewAI software. The issue resides in the RAG search tools, which do not properly validate URLs provided at runtime, enabling unauthorized content acquisition from internal and cloud services. Published on 2026-03-30, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.

A remote, unauthenticated attacker can exploit this vulnerability over the network with no user interaction needed. By supplying crafted URLs to the RAG search tools, the attacker can induce CrewAI to fetch content from restricted internal services or cloud resources, potentially compromising sensitive data (high confidentiality impact), modifying systems (high integrity impact), or disrupting availability (high availability impact).

Mitigation guidance is available in the CERT advisory at https://www.kb.cert.org/vuls/id/221883.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

CrewAI contains a server-side request forgery vulnerability that enables content acquisition from internal and cloud services, facilitated by the RAG search tools not properly validating URLs provided at runtime.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: crewai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in public-facing CrewAI RAG tools directly enables remote exploitation of the application (T1190) and unauthorized retrieval of cloud/internal service data including metadata APIs (T1552.005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2287Same product: Crewai Crewai
CVE-2026-2285Same product: Crewai Crewai
CVE-2026-25580Shared CWE-918
CVE-2026-42449Shared CWE-918
CVE-2026-45310Shared CWE-918
CVE-2026-39885Shared CWE-918
CVE-2026-33039Shared CWE-918
CVE-2026-33351Shared CWE-918
CVE-2026-40150Shared CWE-918
CVE-2024-7959Shared CWE-918

Affected Assets

crewai
crewai
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SSRF by requiring validation of runtime-provided URLs in RAG search tools to prevent unauthorized requests to internal and cloud services.

prevent

Enforces information flow control policies that restrict CrewAI from accessing unauthorized internal or cloud resources induced by crafted URLs.

preventdetect

Monitors and controls outbound communications at system boundaries to block or detect SSRF attempts targeting internal services.

References