CVE-2026-2275
Remote Code Execution in CrewAI CodeInterpreter via SandboxPython Fallback
Publication date: 2026-03-30
Last updated on: 2026-03-31
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| crewai | codeinterpretertool | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-749 | The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the CrewAI CodeInterpreter tool occurs because when it cannot reach Docker, it falls back to using SandboxPython. This fallback can enable remote code execution (RCE) through arbitrary C function calls, which means an attacker could potentially execute malicious code on the host system.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary code remotely on the affected system. This could lead to unauthorized access, data theft, system compromise, or further exploitation of the environment where the CrewAI CodeInterpreter tool is running.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying whether the CrewAI CodeInterpreter tool is running in an environment where Docker is unavailable, causing it to fall back to the SandboxPython mode which can enable remote code execution.
You can check if Docker is installed and running on the system using the following commands:
- docker info
- systemctl status docker
If Docker is not running or not installed, the CodeInterpreter tool may be running in the less secure sandbox mode. Additionally, check if the tool is running with the unsafe_mode parameter enabled, which allows execution of arbitrary Python code on the host.
To detect if the unsafe_mode is enabled or if the tool is running without Docker, inspect the configuration or logs of the CrewAI CodeInterpreter tool.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include ensuring that Docker is installed and running properly so that the CodeInterpreter tool uses the secure Docker container execution environment.
Avoid running the CodeInterpreter tool in unsafe_mode, which executes code directly on the host and can lead to remote code execution vulnerabilities.
If Docker cannot be used, restrict access to the system and monitor for suspicious activity, as the fallback sandbox environment may still be vulnerable.
Review and update the configuration of the CrewAI CodeInterpreter tool to disable unsafe execution modes and enforce the use of Docker containers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the CrewAI CodeInterpreter tool allows remote code execution (RCE) through arbitrary C function calls when Docker is unreachable and the tool falls back to SandboxPython. This can lead to unauthorized access or manipulation of sensitive data.
Such unauthorized access or execution could potentially compromise the confidentiality and integrity of personal or sensitive data, which are key requirements under regulations like GDPR and HIPAA.
Therefore, this vulnerability may negatively impact compliance with these standards by increasing the risk of data breaches or unauthorized data processing.