CVE-2026-2287 — CRITICAL (CVSS 9.8)

CISO Take

CrewAI fails to verify Docker is running before executing sandboxed code, silently falling back to an unsandboxed mode that allows arbitrary code execution on the host. Any organization running CrewAI agents with code execution tools must patch immediately or disable code execution tasks until remediated. This is exploitable in production environments where Docker instability (crashes, OOM kills, resource pressure) is not uncommon.

What is the risk?

HIGH. RCE in an AI agent framework is a critical finding. CrewAI agents typically run with access to sensitive APIs, credentials, and internal infrastructure. The failure mode is insidious: it triggers silently during Docker instability rather than requiring active exploitation of a memory corruption bug. Any sufficiently loaded system that runs Docker could experience this window of exposure. Exposure surface is large given CrewAI's adoption in enterprise agentic pipelines.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 21% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Upgrade CrewAI to the patched version as soon as a fix is published — monitor the advisory at https://www.kb.cert.org/vuls/id/221883 for patch availability.
Immediately audit environments running CrewAI with code execution capabilities; disable code execution tools in agent configs until patched.
Add Docker daemon health checks at the application level: wrap CrewAI invocations with a pre-flight check that aborts if Docker is unavailable rather than allowing fallback.
Deploy systemd/container-level watchdogs to auto-restart the Docker daemon on failure.
Isolate CrewAI workers in their own containers/VMs with minimal host privileges; apply least-privilege to the service account running CrewAI.
Enable auditd or eBPF-based monitoring (e.g., Falco) for unexpected process spawning from CrewAI's process tree as a detection signal.

CISA SSVC Assessment

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Supply Chain Agent Framework Plugin AML.T0050 - Command and Scripting Interpreter AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0097 - Virtualization/Sandbox Evasion AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - Security of AI System Runtime Environment

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain risk response

OWASP LLM Top 10

LLM08:2025 - Excessive Agency

Related AI Incidents (1)

CodeWall's Autonomous Agent Reportedly Obtained Unauthorized Access to McKinsey's Lilli AI Platform Database

Feb 2026 McKinsey & Company, CodeWall medium confidence

The CodeWall autonomous agent incident involves an AI agent exploiting insufficient runtime environment controls to gain unauthorized access to production systems — directly analogous to CrewAI's failure to validate sandbox enforcement, which enables RCE/auth_bypass through improper runtime checks.

AIID #1412

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-2287?

CrewAI fails to verify Docker is running before executing sandboxed code, silently falling back to an unsandboxed mode that allows arbitrary code execution on the host. Any organization running CrewAI agents with code execution tools must patch immediately or disable code execution tasks until remediated. This is exploitable in production environments where Docker instability (crashes, OOM kills, resource pressure) is not uncommon.

Is CVE-2026-2287 actively exploited?

No confirmed active exploitation of CVE-2026-2287 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2287?

1. Upgrade CrewAI to the patched version as soon as a fix is published — monitor the advisory at https://www.kb.cert.org/vuls/id/221883 for patch availability. 2. Immediately audit environments running CrewAI with code execution capabilities; disable code execution tools in agent configs until patched. 3. Add Docker daemon health checks at the application level: wrap CrewAI invocations with a pre-flight check that aborts if Docker is unavailable rather than allowing fallback. 4. Deploy systemd/container-level watchdogs to auto-restart the Docker daemon on failure. 5. Isolate CrewAI workers in their own containers/VMs with minimal host privileges; apply least-privilege to the service account running CrewAI. 6. Enable auditd or eBPF-based monitoring (e.g., Falco) for unexpected process spawning from CrewAI's process tree as a detection signal.

What systems are affected by CVE-2026-2287?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic pipelines, model serving, RAG pipelines.

What is the CVSS score for CVE-2026-2287?

CVE-2026-2287 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.07%.

Technical Details

NVD Description

CrewAI does not properly check that Docker is still running during runtime, and will fall back to a sandbox setting that allows for RCE exploitation.

Exploitation Scenario

An attacker with the ability to influence CrewAI task inputs (e.g., via a prompt injection through a document ingested by the agent, or via a compromised upstream data source) first ensures Docker is unavailable on the target host — achieved either by exploiting a separate DoS condition on the Docker daemon, waiting for a natural crash under load, or by a prior foothold on the system. Once Docker is down, the attacker causes the CrewAI agent to execute a code task. The framework, lacking a hard failure on missing Docker, runs the code directly on the host. The injected payload — e.g., exfiltrating environment variables containing API keys, establishing a reverse shell, or pivoting to internal services — executes with the privileges of the CrewAI process, bypassing container isolation entirely.