Cyber Resilience

CVE-2026-2287

CriticalRCE

Published: 30 March 2026

Published
30 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0069 48.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2287 is a critical-severity Code Injection (CWE-94) vulnerability in Crewai Crewai. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-24 (Fail in Known State) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2287 is a critical vulnerability in CrewAI, an open-source framework for orchestrating AI agents, stemming from improper validation of Docker's runtime status. Specifically, CrewAI fails to verify if the Docker container is actively running, causing it to revert to a less secure sandbox configuration that exposes the system to remote code execution (RCE). This issue aligns with CWE-94 (Improper Control of Generation of Code), earning a CVSS v3.1 base score of 9.8 due to its severe impact.

The vulnerability enables remote, unauthenticated attackers with network access to the affected CrewAI instance to exploit it with low complexity and no user interaction required. Successful exploitation grants attackers high-level privileges, allowing arbitrary code execution on the host system, potentially compromising confidentiality, integrity, and availability through full system control.

For mitigation details, refer to the CERT Coordination Center advisory at https://www.kb.cert.org/vuls/id/221883, which provides guidance on patches, workarounds, and remediation steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

CrewAI does not properly check that Docker is still running during runtime, and will fall back to a sandbox setting that allows for RCE exploitation.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: crewai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Vulnerability in public-facing CrewAI framework allows unauthenticated remote code execution via improper sandbox fallback (CWE-94).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2285Same product: Crewai Crewai
CVE-2026-2286Same product: Crewai Crewai
CVE-2026-25807Shared CWE-94
CVE-2026-31040Shared CWE-94
CVE-2026-26045Shared CWE-94
CVE-2024-11600Shared CWE-94
CVE-2025-67979Shared CWE-94
CVE-2026-6543Shared CWE-94
CVE-2025-6000Shared CWE-94
CVE-2024-54756Shared CWE-94

Affected Assets

crewai
crewai
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the CrewAI flaw failing to verify Docker runtime status, preventing fallback to the vulnerable RCE-prone sandbox.

prevent

Mandates failing to a secure state when Docker is not running, avoiding the insecure sandbox fallback that enables RCE exploitation.

prevent

Enforces secure configuration settings for CrewAI to validate Docker status and prohibit vulnerable sandbox fallbacks.

References