CVE-2026-2287

CriticalRCE

Published: 30 March 2026

Published

30 March 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0007 20.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2287 is a critical-severity Code Injection (CWE-94) vulnerability in Crewai Crewai. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-24 (Fail in Known State) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of the CrewAI flaw failing to verify Docker runtime status, preventing fallback to the vulnerable RCE-prone sandbox.

SC-24 Fail in Known State good match

prevent

Mandates failing to a secure state when Docker is not running, avoiding the insecure sandbox fallback that enables RCE exploitation.

CM-6 Configuration Settings partial match

prevent

Enforces secure configuration settings for CrewAI to validate Docker status and prohibit vulnerable sandbox fallbacks.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing CrewAI framework allows unauthenticated remote code execution via improper sandbox fallback (CWE-94).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

CrewAI does not properly check that Docker is still running during runtime, and will fall back to a sandbox setting that allows for RCE exploitation.

Deeper analysisAI

CVE-2026-2287 is a critical vulnerability in CrewAI, an open-source framework for orchestrating AI agents, stemming from improper validation of Docker's runtime status. Specifically, CrewAI fails to verify if the Docker container is actively running, causing it to revert to a less secure sandbox configuration that exposes the system to remote code execution (RCE). This issue aligns with CWE-94 (Improper Control of Generation of Code), earning a CVSS v3.1 base score of 9.8 due to its severe impact.

The vulnerability enables remote, unauthenticated attackers with network access to the affected CrewAI instance to exploit it with low complexity and no user interaction required. Successful exploitation grants attackers high-level privileges, allowing arbitrary code execution on the host system, potentially compromising confidentiality, integrity, and availability through full system control.

For mitigation details, refer to the CERT Coordination Center advisory at https://www.kb.cert.org/vuls/id/221883, which provides guidance on patches, workarounds, and remediation steps.