CVE-2026-2275
Received Received - Intake
Remote Code Execution in CrewAI CodeInterpreter via SandboxPython Fallback

Publication date: 2026-03-30

Last updated on: 2026-03-31

Assigner: CERT/CC

Description
The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2275
EUVD
EUVD-2026-17117
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
crewai codeinterpretertool *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-749 The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the CrewAI CodeInterpreter tool occurs because when it cannot reach Docker, it falls back to using SandboxPython. This fallback can enable remote code execution (RCE) through arbitrary C function calls, which means an attacker could potentially execute malicious code on the host system.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary code remotely on the affected system. This could lead to unauthorized access, data theft, system compromise, or further exploitation of the environment where the CrewAI CodeInterpreter tool is running.

Detection Guidance

Detection of this vulnerability involves verifying whether the CrewAI CodeInterpreter tool is running in an environment where Docker is unavailable, causing it to fall back to the SandboxPython mode which can enable remote code execution.

You can check if Docker is installed and running on the system using the following commands:

  • docker info
  • systemctl status docker

If Docker is not running or not installed, the CodeInterpreter tool may be running in the less secure sandbox mode. Additionally, check if the tool is running with the unsafe_mode parameter enabled, which allows execution of arbitrary Python code on the host.

To detect if the unsafe_mode is enabled or if the tool is running without Docker, inspect the configuration or logs of the CrewAI CodeInterpreter tool.

Mitigation Strategies

Immediate mitigation steps include ensuring that Docker is installed and running properly so that the CodeInterpreter tool uses the secure Docker container execution environment.

Avoid running the CodeInterpreter tool in unsafe_mode, which executes code directly on the host and can lead to remote code execution vulnerabilities.

If Docker cannot be used, restrict access to the system and monitor for suspicious activity, as the fallback sandbox environment may still be vulnerable.

Review and update the configuration of the CrewAI CodeInterpreter tool to disable unsafe execution modes and enforce the use of Docker containers.

Compliance Impact

The vulnerability in the CrewAI CodeInterpreter tool allows remote code execution (RCE) through arbitrary C function calls when Docker is unreachable and the tool falls back to SandboxPython. This can lead to unauthorized access or manipulation of sensitive data.

Such unauthorized access or execution could potentially compromise the confidentiality and integrity of personal or sensitive data, which are key requirements under regulations like GDPR and HIPAA.

Therefore, this vulnerability may negatively impact compliance with these standards by increasing the risk of data breaches or unauthorized data processing.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2275. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart