CVE-2026-2286

Critical

Published: 30 March 2026

Published

30 March 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 18.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2286 is a critical-severity SSRF (CWE-918) vulnerability in Crewai Crewai. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates SSRF by requiring validation of runtime-provided URLs in RAG search tools to prevent unauthorized requests to internal and cloud services.

AC-4 Information Flow Enforcement good match

prevent

Enforces information flow control policies that restrict CrewAI from accessing unauthorized internal or cloud resources induced by crafted URLs.

SC-7 Boundary Protection partial match

preventdetect

Monitors and controls outbound communications at system boundaries to block or detect SSRF attempts targeting internal services.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1552.005 Cloud Instance Metadata API Credential Access

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

attack.mitre.org →

Why these techniques?

SSRF in public-facing CrewAI RAG tools directly enables remote exploitation of the application (T1190) and unauthorized retrieval of cloud/internal service data including metadata APIs (T1552.005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

CrewAI contains a server-side request forgery vulnerability that enables content acquisition from internal and cloud services, facilitated by the RAG search tools not properly validating URLs provided at runtime.

Deeper analysisAI

CVE-2026-2286 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting the CrewAI software. The issue resides in the RAG search tools, which do not properly validate URLs provided at runtime, enabling unauthorized content acquisition from internal and cloud services. Published on 2026-03-30, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.

A remote, unauthenticated attacker can exploit this vulnerability over the network with no user interaction needed. By supplying crafted URLs to the RAG search tools, the attacker can induce CrewAI to fetch content from restricted internal services or cloud resources, potentially compromising sensitive data (high confidentiality impact), modifying systems (high integrity impact), or disrupting availability (high availability impact).

Mitigation guidance is available in the CERT advisory at https://www.kb.cert.org/vuls/id/221883.