Agents
CrewAI Hit by Four CVEs: Prompt Injection Chains to RCE, SSRF, Sandbox Escape, and Arbitrary File Read
CERT/CC advisory VU#221883 discloses four vulnerabilities in CrewAI that chain through prompt injection: CVE-2026-2275 (Code Interpreter Tool falls back to vulnerable SandboxPython if Docker unreachable, enabling arbitrary C function calls), CVE-2026-2285 (JSON loader reads files without path validation), CVE-2026-2286 (SSRF), and CVE-2026-2287 (insecure Docker runtime fallback). An attacker who can interact with a CrewAI agent with Code Interpreter enabled can chain these to achieve full host compromise. This represents the 'prompts become shells' pattern Microsoft identified as systemic across agent frameworks.
Source
↳ Follow the thread