CVE-2026-2286

CRITICAL

CrewAI 1.0 - SSRF in RAG Search Tools

Title source: manual

Description

CrewAI contains a server-side request forgery vulnerability that enables content acquisition from internal and cloud services, facilitated by the RAG search tools not properly validating URLs provided at runtime.

References (1)

Core 1

Core References

https://www.kb.cert.org/vuls/id/221883

Scores

CVSS v3 9.8

EPSS 0.0047

EPSS Percentile 36.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-918

Status published

Products (3)

crewai/crewai 1.0

crewai/crewai 1.0.0

CrewAI/CrewAI 1.0

Published Mar 30, 2026

Tracked Since Mar 30, 2026