Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
CrewAI contains a server-side request forgery vulnerability that enables content acquisition from internal and cloud services, facilitated by the RAG search tools not properly validating URLs provided at runtime.
AnalysisAI
Server-side request forgery in CrewAI's RAG search tools allows remote attackers to access internal and cloud services by injecting malicious URLs at runtime without proper validation. The vulnerability affects CrewAI's content acquisition mechanisms, enabling unauthorized data exfiltration from internal networks and cloud-hosted resources. No CVSS score, active exploitation status, or patch information is currently available in public sources.
Technical ContextAI
CrewAI's RAG (Retrieval-Augmented Generation) search tools process user-supplied or dynamically generated URLs to fetch content for knowledge base augmentation. The vulnerability stems from insufficient URL validation before initiating server-side HTTP requests, allowing an attacker to bypass intended URL restrictions and redirect requests to internal services (localhost, private IP ranges), cloud metadata endpoints (AWS IMDSv2, Azure IMDS), or other sensitive resources. This is a classic SSRF scenario where the server itself becomes a proxy for attacks against internal infrastructure that would otherwise be network-isolated from external attackers.
RemediationAI
Immediate remediation requires updating CrewAI to a patched version once released by the development team; check the official repository and CERT advisory for patch availability and exact version numbers. In the interim, restrict runtime URL injection by implementing strict URL allowlisting in RAG tool configurations, blocking requests to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1), and cloud metadata endpoints (169.254.169.254, 0.0.0.0). Disable or isolate RAG search functionality if it is not essential until a patch is deployed. Review and audit any CrewAI instances for signs of SSRF exploitation (unusual internal network access, requests to metadata services, or unexpected data exfiltration).
Server-side request forgery in CrewAI's scraping tools before version 1.15.1 lets remote attackers reach internal servic
CrewAI's JSON loader tool fails to validate file paths before reading, allowing arbitrary local file access that exposes
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17121