{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2275", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-02-10T12:06:47.960Z", "datePublished": "2026-03-30T15:50:25.922Z", "dateUpdated": "2026-03-31T17:53:04.735Z"}, "containers": {"cna": {"title": "CVE-2026-2275", "descriptions": [{"lang": "en", "value": "The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "CrewAI", "product": "CrewAI", "versions": [{"status": "affected", "version": "1.0"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-749: Exposed Dangerous Method or Function"}]}], "references": [{"url": "https://docs.crewai.com/en/tools/ai-ml/codeinterpretertool"}, {"url": "https://www.kb.cert.org/vuls/id/221883"}], "x_generator": {"engine": "VINCE 3.0.34", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-2275"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-03-30T15:50:25.922Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-749", "lang": "en", "description": "CWE-749 Exposed Dangerous Method or Function"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T17:52:35.698294Z", "id": "CVE-2026-2275", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T17:53:04.735Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2275", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T17:52:35.698294Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-749", "description": "CWE-749 Exposed Dangerous Method or Function"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T17:50:49.435Z"}}], "cna": {"title": "CVE-2026-2275", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "CrewAI", "product": "CrewAI", "versions": [{"status": "affected", "version": "1.0"}]}], "references": [{"url": "https://docs.crewai.com/en/tools/ai-ml/codeinterpretertool"}, {"url": "https://www.kb.cert.org/vuls/id/221883"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.34", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-2275"}, "descriptions": [{"lang": "en", "value": "The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-749: Exposed Dangerous Method or Function"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-03-30T15:50:25.922Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2275", "state": "PUBLISHED", "dateUpdated": "2026-03-31T17:53:04.735Z", "dateReserved": "2026-02-10T12:06:47.960Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-03-30T15:50:25.922Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling."}, {"lang": "es", "value": "La herramienta CodeInterpreter de CrewAI recurre a SandboxPython cuando no puede acceder a Docker, lo que puede habilitar RCE mediante la llamada arbitraria a funciones C."}], "id": "CVE-2026-2275", "lastModified": "2026-04-01T14:24:21.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-30T16:16:04.557", "references": [{"source": "cret@cert.org", "url": "https://docs.crewai.com/en/tools/ai-ml/codeinterpretertool"}, {"source": "cret@cert.org", "url": "https://www.kb.cert.org/vuls/id/221883"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-749"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "CrewAI", "source": "cna", "vendor": "CrewAI"}, "product": "crewai", "vendor": "crewai"}], "analysis": {"en": {"generated_at": "2026-03-30T17:22:39.714100+00:00", "value": {"mitigation_remediation": ["Apply the latest CrewAI updates that address the CodeInterpreter fallback issue.", "If an update is pending, restrict access to the CodeInterpreter service to trusted users.", "Configure the application to permanently disable the Docker fallback or force Docker usage.", "Monitor logs for any anomalous invocation of C functions via the CodeInterpreter tool."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the CrewAI CodeInterpreter component. No specific version details are provided; all installations of the CodeInterpreter tool without patches are potentially vulnerable.", "description_and_impact": "CrewAI\u2019s CodeInterpreter tool has a flaw where it falls back to a sandboxed Python execution environment instead of using Docker when Docker is unavailable. This fallback permits the execution of arbitrary C functions, effectively enabling remote code execution. The weakness lies in improper restriction of operations, allowing an attacker to run code beyond intended boundaries.", "risk_and_exploitability": "Because the flaw can be triggered by any user of the affected application, the risk is significant. The CVSS score is not publicly disclosed, and EPSS data is missing, but remote code execution generally carries high severity. The vulnerability is not listed in the CISA KEV catalog, yet the lack of a CVSS score does not lessen the potential for exploitation. Attackers could likely exploit the vulnerability by using normal interaction with the CodeInterpreter endpoint, as the fallback is automatic when Docker is unreachable."}}}}, "created": "2026-03-30T20:55:34.606763+00:00", "title": "RCE in CrewAI CodeInterpreter via SandboxPython fallback", "updated": "2026-03-31T20:40:50.804200+00:00", "vendors": ["crewai", "crewai$PRODUCT$crewai"], "weaknesses": ["CWE-94", "CWE-79"]}