AI Threat Alert
CVE-2026-2275: CrewAI: RCE via Docker fallback in CodeInterpreter
CRITICAL CISA: ATTENDCrewAI's CodeInterpreter silently degrades to SandboxPython when Docker is unreachable, enabling arbitrary C function calls and full RCE. Any agentic workflow using this tool in environments where Docker availability is not strictly enforced is at risk. Disable CodeInterpreter in production immediately unless Docker connectivity is verified at startup and monitored continuously.
What is the risk?
High. The fail-open behavior is silent — operators receive no warning when SandboxPython substitutes for the Docker-based sandbox. An adversary who can disrupt Docker connectivity (even transiently) triggers the vulnerable code path. The combination of silent degradation, RCE via C function invocation, and broad adoption of CrewAI in production agentic platforms makes this a significant threat. CVSS is unscored but functional severity is Critical in affected deployment patterns.
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Audit all CrewAI deployments for CodeInterpreter usage immediately. 2) Disable CodeInterpreter in environments where Docker availability cannot be guaranteed. 3) Add startup health checks that verify Docker socket connectivity and fail the agent if Docker is unreachable — never fall back silently. 4) Monitor agent execution logs for SandboxPython fallback indicators. 5) Apply container hardening (seccomp, AppArmor, no-new-privileges, read-only filesystem) to limit RCE blast radius. 6) Restrict network egress from agent containers to prevent reverse shell callbacks. 7) Track CrewAI GitHub releases for a patch and apply immediately on release. 8) Consider wrapping CodeInterpreter with a guard layer that raises an exception on Docker unavailability rather than allowing fallback.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-2275?
CrewAI's CodeInterpreter silently degrades to SandboxPython when Docker is unreachable, enabling arbitrary C function calls and full RCE. Any agentic workflow using this tool in environments where Docker availability is not strictly enforced is at risk. Disable CodeInterpreter in production immediately unless Docker connectivity is verified at startup and monitored continuously.
Is CVE-2026-2275 actively exploited?
No confirmed active exploitation of CVE-2026-2275 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-2275?
1) Audit all CrewAI deployments for CodeInterpreter usage immediately. 2) Disable CodeInterpreter in environments where Docker availability cannot be guaranteed. 3) Add startup health checks that verify Docker socket connectivity and fail the agent if Docker is unreachable — never fall back silently. 4) Monitor agent execution logs for SandboxPython fallback indicators. 5) Apply container hardening (seccomp, AppArmor, no-new-privileges, read-only filesystem) to limit RCE blast radius. 6) Restrict network egress from agent containers to prevent reverse shell callbacks. 7) Track CrewAI GitHub releases for a patch and apply immediately on release. 8) Consider wrapping CodeInterpreter with a guard layer that raises an exception on Docker unavailability rather than allowing fallback.
What systems are affected by CVE-2026-2275?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, code execution environments, multi-agent pipelines, AI coding assistants, autonomous task automation.
What is the CVSS score for CVE-2026-2275?
CVE-2026-2275 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 0.44%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0050 Command and Scripting Interpreter AML.T0051 LLM Prompt Injection AML.T0053 AI Agent Tool Invocation AML.T0072 Reverse Shell AML.T0097 Virtualization/Sandbox Evasion AML.T0105 Escape to Host Compliance Controls Affected
What are the technical details?
Original Advisory
The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling.
Exploitation Scenario
An adversary targets a CrewAI-based coding assistant deployed in a Kubernetes cluster. By exploiting a network policy misconfiguration or temporarily blocking the Docker socket (e.g., via a denial-of-service on the Docker daemon), the attacker triggers the SandboxPython fallback path. They then submit a crafted natural language task that causes the agent to execute Python code using ctypes to invoke C runtime functions such as system() or execve(), achieving RCE within the container. Without proper seccomp profiles, the attacker escalates to host access. In a multi-tenant platform, this enables cross-tenant data exfiltration or persistent backdoor installation.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Timeline
Related Vulnerabilities
CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Code Execution CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Code Execution CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same attack type: Auth Bypass CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same attack type: Auth Bypass CVE-2024-2912 10.0 BentoML: RCE via insecure deserialization (CVSS 10)
Same attack type: Code Execution