CVE-2026-2286

UNKNOWN

CrewAI: SSRF via unvalidated RAG tool URLs exposes internal services

Published March 30, 2026

CISO Take

CrewAI's RAG search tools accept arbitrary URLs at runtime without validation, enabling SSRF attacks that can reach internal APIs, cloud metadata endpoints (AWS IMDSv1, GCP metadata), and private services. Any deployment exposing CrewAI agents to untrusted input is at risk of internal network traversal and credential theft. Restrict network egress from CrewAI deployments immediately and audit URL sources passed to RAG tools pending a patch.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

PATCH: Monitor CrewAI GitHub and apply fix immediately when released; pin to patched version.
NETWORK: Restrict outbound HTTP from CrewAI agent hosts using egress firewall rules — whitelist only required external domains.
BLOCK METADATA: If running on cloud (AWS/GCP/Azure), enforce IMDSv2 (hop-limit 1) and block 169.254.169.254 at host firewall.
INPUT VALIDATION: Until patched, wrap RAG tool URL inputs with an allowlist validator rejecting private IP ranges (RFC1918: 10/8, 172.16/12, 192.168/16) and metadata IPs.
DETECT: Alert on outbound connections from agent processes to RFC1918 ranges or metadata endpoints.
AUDIT: Review agent logs for unexpected internal HTTP requests.

Classification

Data Extraction Auth Bypass Privacy Violation Agent RAG Framework AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0075 - Cloud Service Discovery AML.T0085.001 - AI Agent Tools AML.T0086 - Exfiltration via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.4 - Technical measures for AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems are evaluated and applied

OWASP LLM Top 10

LLM06 - Excessive Agency LLM07 - Insecure Plugin Design

Technical Details

NVD Description

CrewAI contains a server-side request forgery vulnerability that enables content acquisition from internal and cloud services, facilitated by the RAG search tools not properly validating URLs provided at runtime.

Exploitation Scenario

Attacker submits a document to a CrewAI RAG-enabled agent containing a URL pointing to http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS metadata endpoint). The agent's RAG search tool, lacking URL validation, fetches this URL, and the response — containing temporary IAM credentials — is ingested into the agent's context. The agent may include this data in its response or the attacker retrieves it via a follow-up prompt. With the IAM credentials, the attacker pivots to the AWS control plane for further access. Alternatively, the attacker targets internal APIs (http://internal-api:8080/admin) to enumerate or exfiltrate sensitive data from services co-located on the private network.

References

kb.cert.org/vuls/id/221883

Timeline

Published

March 30, 2026

Last Modified

March 30, 2026

First Seen

March 30, 2026

Back to Threat Feed