CrewAI
CVE-2026-62240
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable, low-complexity redirect bypass with no auth (PR:N) but requires a workflow to fetch the URL (UI:R); reaching internal/metadata systems is a scope change (S:C) with confidentiality-only impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
CrewAI before 1.15.1 contains a server-side request forgery vulnerability in the validate_url function that performs one-shot DNS resolution and blocklist checks before returning the original URL unchanged. Attackers can bypass the security filter by supplying URLs that redirect to internal addresses or use DNS rebinding techniques to access internal services and cloud metadata endpoints.
AnalysisAI
Server-side request forgery in CrewAI's scraping tools before version 1.15.1 lets remote attackers reach internal services and cloud metadata endpoints by abusing a flawed validate_url function. The filter performs a single DNS resolution and blocklist check, then returns the original URL unchanged, so attacker-supplied URLs that HTTP-redirect to internal addresses or exploit DNS rebinding slip past the guard. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a CrewAI deployment (before 1.15.1) that feeds an attacker-supplied or attacker-influenceable URL into one of the scrape/web-fetch tools that call validate_url - this is the UI:P/passive-interaction prerequisite in the CVSS 4.0 vector: an agent workflow must be induced to fetch the malicious URL. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P, VC:H, SC:H) scores 8.3 (High): network-reachable, low complexity, no privileges, but with passive user interaction and a scope change reflected by high subsequent-system confidentiality impact - consistent with SSRF reaching internal/metadata systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a URL under their control to an application that hands it to a CrewAI agent's scrape tool; the URL passes validate_url's one-shot check by resolving to a public IP, then returns an HTTP 302 redirect (or rebinds via DNS) to http://169.254.169.254/latest/meta-data/. CrewAI follows it and returns the cloud instance's IAM credentials or internal service responses to the attacker. … |
| Remediation | Vendor-released patch: upgrade to CrewAI 1.15.1 or later, which fixes the SSRF redirect bypass in scraping fetches (release notes list 'Fix SSRF redirect bypass in scraping fetches (#6331)'; fix commit 5d4851eac797cafc45b726f65747fe2c9520fc42). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all systems running CrewAI to identify affected versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Server-side request forgery in CrewAI's RAG search tools allows remote attackers to access internal and cloud services b
CrewAI's JSON loader tool fails to validate file paths before reading, allowing arbitrary local file access that exposes
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today