CVE-2026-2286

CRITICAL 9.8

CVE-2026-2286

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

4th

CrewAI contains a server-side request forgery vulnerability that enables content acquisition from internal and cloud services, facilitated by the RAG search tools not properly validating URLs provided at runtime.

Vendor	crewai
Product	crewai
Published	Mar 30, 2026
Last Updated	Apr 1, 2026

Stay Ahead of the Next One

Get instant alerts for crewai crewai

Be the first to know when new critical vulnerabilities affecting crewai crewai are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

CrewAI / CrewAI

1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

kb.cert.org: https://www.kb.cert.org/vuls/id/221883