CVE-2026-2275 — CRITICAL (CVSS 9.6)

CISO Take

CrewAI's CodeInterpreter silently degrades to SandboxPython when Docker is unreachable, enabling arbitrary C function calls and full RCE. Any agentic workflow using this tool in environments where Docker availability is not strictly enforced is at risk. Disable CodeInterpreter in production immediately unless Docker connectivity is verified at startup and monitored continuously.

What is the risk?

High. The fail-open behavior is silent — operators receive no warning when SandboxPython substitutes for the Docker-based sandbox. An adversary who can disrupt Docker connectivity (even transiently) triggers the vulnerable code path. The combination of silent degradation, RCE via C function invocation, and broad adoption of CrewAI in production agentic platforms makes this a significant threat. CVSS is unscored but functional severity is Critical in affected deployment patterns.

Severity & Risk

CVSS 3.1

9.6 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 4% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Changed

C High

I High

A High

What should I do?

1 step

1) Audit all CrewAI deployments for CodeInterpreter usage immediately. 2) Disable CodeInterpreter in environments where Docker availability cannot be guaranteed. 3) Add startup health checks that verify Docker socket connectivity and fail the agent if Docker is unreachable — never fall back silently. 4) Monitor agent execution logs for SandboxPython fallback indicators. 5) Apply container hardening (seccomp, AppArmor, no-new-privileges, read-only filesystem) to limit RCE blast radius. 6) Restrict network egress from agent containers to prevent reverse shell callbacks. 7) Track CrewAI GitHub releases for a patch and apply immediately on release. 8) Consider wrapping CodeInterpreter with a guard layer that raises an exception on Docker unavailability rather than allowing fallback.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Agent Framework Plugin AML.T0050 - Command and Scripting Interpreter AML.T0051 - LLM Prompt Injection AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0097 - Virtualization/Sandbox Evasion AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI System Risk Controls

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain AI risk management

OWASP LLM Top 10

LLM06 - Excessive Agency

Related AI Incidents (1)

CodeWall's Autonomous Agent Reportedly Obtained Unauthorized Access to McKinsey's Lilli AI Platform Database

Feb 2026 McKinsey & Company, CodeWall medium confidence

CodeWall's autonomous agent exploiting vulnerabilities to gain unauthorized access to production systems aligns with the RCE/auth_bypass class of vulnerability in CVE-2026-2275, where an autonomous code-execution agent (similar to CrewAI's CodeInterpreter) could escape sandbox constraints and access backend systems.

AIID #1412

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-2275?

CrewAI's CodeInterpreter silently degrades to SandboxPython when Docker is unreachable, enabling arbitrary C function calls and full RCE. Any agentic workflow using this tool in environments where Docker availability is not strictly enforced is at risk. Disable CodeInterpreter in production immediately unless Docker connectivity is verified at startup and monitored continuously.

Is CVE-2026-2275 actively exploited?

No confirmed active exploitation of CVE-2026-2275 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2275?

1) Audit all CrewAI deployments for CodeInterpreter usage immediately. 2) Disable CodeInterpreter in environments where Docker availability cannot be guaranteed. 3) Add startup health checks that verify Docker socket connectivity and fail the agent if Docker is unreachable — never fall back silently. 4) Monitor agent execution logs for SandboxPython fallback indicators. 5) Apply container hardening (seccomp, AppArmor, no-new-privileges, read-only filesystem) to limit RCE blast radius. 6) Restrict network egress from agent containers to prevent reverse shell callbacks. 7) Track CrewAI GitHub releases for a patch and apply immediately on release. 8) Consider wrapping CodeInterpreter with a guard layer that raises an exception on Docker unavailability rather than allowing fallback.

What systems are affected by CVE-2026-2275?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, code execution environments, multi-agent pipelines, AI coding assistants, autonomous task automation.

What is the CVSS score for CVE-2026-2275?

CVE-2026-2275 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling.

Exploitation Scenario

An adversary targets a CrewAI-based coding assistant deployed in a Kubernetes cluster. By exploiting a network policy misconfiguration or temporarily blocking the Docker socket (e.g., via a denial-of-service on the Docker daemon), the attacker triggers the SandboxPython fallback path. They then submit a crafted natural language task that causes the agent to execute Python code using ctypes to invoke C runtime functions such as system() or execve(), achieving RCE within the container. Without proper seccomp profiles, the attacker escalates to host access. In a multi-tenant platform, this enables cross-tenant data exfiltration or persistent backdoor installation.