CVE-2026-2286 — CRITICAL (CVSS 9.8)

CISO Take

CrewAI's RAG search tools accept arbitrary URLs at runtime without validation, enabling SSRF attacks that can reach internal APIs, cloud metadata endpoints (AWS IMDSv1, GCP metadata), and private services. Any deployment exposing CrewAI agents to untrusted input is at risk of internal network traversal and credential theft. Restrict network egress from CrewAI deployments immediately and audit URL sources passed to RAG tools pending a patch.

What is the risk?

HIGH risk for cloud-deployed CrewAI agents. SSRF in agent frameworks is particularly dangerous because agents operate with elevated trust and broad tool access. Attackers can pivot from SSRF to credential harvesting via cloud metadata endpoints (IMDSv1 returns IAM keys with no auth), internal API enumeration, and lateral movement. Exploitability is trivial for anyone with input access to the agent. The absence of CVSS scoring does not diminish real-world severity — SSRF-to-cloud-metadata chains have been weaponized repeatedly in production environments.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 18% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

PATCH

Monitor CrewAI GitHub and apply fix immediately when released; pin to patched version.
NETWORK

Restrict outbound HTTP from CrewAI agent hosts using egress firewall rules — whitelist only required external domains.
BLOCK METADATA

If running on cloud (AWS/GCP/Azure), enforce IMDSv2 (hop-limit 1) and block 169.254.169.254 at host firewall.
INPUT VALIDATION

Until patched, wrap RAG tool URL inputs with an allowlist validator rejecting private IP ranges (RFC1918: 10/8, 172.16/12, 192.168/16) and metadata IPs.
DETECT

Alert on outbound connections from agent processes to RFC1918 ranges or metadata endpoints.
AUDIT

Review agent logs for unexpected internal HTTP requests.

CISA SSVC Assessment

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Privacy Violation Agent RAG Framework AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0075 - Cloud Service Discovery AML.T0085.001 - AI Agent Tools AML.T0086 - Exfiltration via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.4 - Technical measures for AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems are evaluated and applied

OWASP LLM Top 10

LLM06 - Excessive Agency LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-2286?

CrewAI's RAG search tools accept arbitrary URLs at runtime without validation, enabling SSRF attacks that can reach internal APIs, cloud metadata endpoints (AWS IMDSv1, GCP metadata), and private services. Any deployment exposing CrewAI agents to untrusted input is at risk of internal network traversal and credential theft. Restrict network egress from CrewAI deployments immediately and audit URL sources passed to RAG tools pending a patch.

Is CVE-2026-2286 actively exploited?

No confirmed active exploitation of CVE-2026-2286 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2286?

1. PATCH: Monitor CrewAI GitHub and apply fix immediately when released; pin to patched version. 2. NETWORK: Restrict outbound HTTP from CrewAI agent hosts using egress firewall rules — whitelist only required external domains. 3. BLOCK METADATA: If running on cloud (AWS/GCP/Azure), enforce IMDSv2 (hop-limit 1) and block 169.254.169.254 at host firewall. 4. INPUT VALIDATION: Until patched, wrap RAG tool URL inputs with an allowlist validator rejecting private IP ranges (RFC1918: 10/8, 172.16/12, 192.168/16) and metadata IPs. 5. DETECT: Alert on outbound connections from agent processes to RFC1918 ranges or metadata endpoints. 6. AUDIT: Review agent logs for unexpected internal HTTP requests.

What systems are affected by CVE-2026-2286?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, RAG pipelines, Multi-agent systems, Cloud-deployed AI workloads.

What is the CVSS score for CVE-2026-2286?

CVE-2026-2286 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

CrewAI contains a server-side request forgery vulnerability that enables content acquisition from internal and cloud services, facilitated by the RAG search tools not properly validating URLs provided at runtime.

Exploitation Scenario

Attacker submits a document to a CrewAI RAG-enabled agent containing a URL pointing to http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS metadata endpoint). The agent's RAG search tool, lacking URL validation, fetches this URL, and the response — containing temporary IAM credentials — is ingested into the agent's context. The agent may include this data in its response or the attacker retrieves it via a follow-up prompt. With the IAM credentials, the attacker pivots to the AWS control plane for further access. Alternatively, the attacker targets internal APIs (http://internal-api:8080/admin) to enumerate or exfiltrate sensitive data from services co-located on the private network.