CVE-2026-2287
Published: 30 March 2026
Summary
CVE-2026-2287 is a critical-severity Code Injection (CWE-94) vulnerability in Crewai Crewai. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-24 (Fail in Known State) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-2287 is a critical vulnerability in CrewAI, an open-source framework for orchestrating AI agents, stemming from improper validation of Docker's runtime status. Specifically, CrewAI fails to verify if the Docker container is actively running, causing it to revert to a less secure sandbox configuration that exposes the system to remote code execution (RCE). This issue aligns with CWE-94 (Improper Control of Generation of Code), earning a CVSS v3.1 base score of 9.8 due to its severe impact.
The vulnerability enables remote, unauthenticated attackers with network access to the affected CrewAI instance to exploit it with low complexity and no user interaction required. Successful exploitation grants attackers high-level privileges, allowing arbitrary code execution on the host system, potentially compromising confidentiality, integrity, and availability through full system control.
For mitigation details, refer to the CERT Coordination Center advisory at https://www.kb.cert.org/vuls/id/221883, which provides guidance on patches, workarounds, and remediation steps.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17123
Vulnerability details
CrewAI does not properly check that Docker is still running during runtime, and will fall back to a sandbox setting that allows for RCE exploitation.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: crewai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing CrewAI framework allows unauthenticated remote code execution via improper sandbox fallback (CWE-94).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the CrewAI flaw failing to verify Docker runtime status, preventing fallback to the vulnerable RCE-prone sandbox.
Mandates failing to a secure state when Docker is not running, avoiding the insecure sandbox fallback that enables RCE exploitation.
Enforces secure configuration settings for CrewAI to validate Docker status and prohibit vulnerable sandbox fallbacks.