Skip to main content

Crewai EUVDEUVD-2026-17121

| CVE-2026-2286 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-30 cret@cert.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 30, 2026 - 16:22 euvd
EUVD-2026-17121
Analysis Generated
Mar 30, 2026 - 16:22 vuln.today
CVE Published
Mar 30, 2026 - 16:16 nvd
CRITICAL 9.8

DescriptionCVE.org

CrewAI contains a server-side request forgery vulnerability that enables content acquisition from internal and cloud services, facilitated by the RAG search tools not properly validating URLs provided at runtime.

AnalysisAI

Server-side request forgery in CrewAI's RAG search tools allows remote attackers to access internal and cloud services by injecting malicious URLs at runtime without proper validation. The vulnerability affects CrewAI's content acquisition mechanisms, enabling unauthorized data exfiltration from internal networks and cloud-hosted resources. No CVSS score, active exploitation status, or patch information is currently available in public sources.

Technical ContextAI

CrewAI's RAG (Retrieval-Augmented Generation) search tools process user-supplied or dynamically generated URLs to fetch content for knowledge base augmentation. The vulnerability stems from insufficient URL validation before initiating server-side HTTP requests, allowing an attacker to bypass intended URL restrictions and redirect requests to internal services (localhost, private IP ranges), cloud metadata endpoints (AWS IMDSv2, Azure IMDS), or other sensitive resources. This is a classic SSRF scenario where the server itself becomes a proxy for attacks against internal infrastructure that would otherwise be network-isolated from external attackers.

RemediationAI

Immediate remediation requires updating CrewAI to a patched version once released by the development team; check the official repository and CERT advisory for patch availability and exact version numbers. In the interim, restrict runtime URL injection by implementing strict URL allowlisting in RAG tool configurations, blocking requests to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1), and cloud metadata endpoints (169.254.169.254, 0.0.0.0). Disable or isolate RAG search functionality if it is not essential until a patch is deployed. Review and audit any CrewAI instances for signs of SSRF exploitation (unusual internal network access, requests to metadata services, or unexpected data exfiltration).

Share

EUVD-2026-17121 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy