CVE-2026-2285
Arbitrary File Read in CrewAI JSON Loader Enables Local Data Access
Publication date: 2026-03-30
Last updated on: 2026-04-15
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| crewai | crewai | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2285 is an arbitrary local file read vulnerability in CrewAI's JSON loader tool. The tool reads files without proper path validation, which allows an attacker to access arbitrary files on the server hosting CrewAI.
CrewAI is a platform for orchestrating multi-agent AI systems, and this vulnerability arises from insecure default configurations and fallback behaviors in the CrewAI agent and its Docker environment.
Exploitation requires an attacker to influence a CrewAI agent with the Code Interpreter Tool enabled, either through direct or indirect prompt injection.
How can this vulnerability impact me? :
This vulnerability allows unauthorized local file access on the server running CrewAI, which can lead to credential theft or further system compromise.
Depending on the host's configuration and Docker availability, the impact can range from arbitrary file reads to full remote code execution when combined with related vulnerabilities.
- Attackers could leverage this flaw to access sensitive files on the server.
- It may enable attackers to escalate their access or execute arbitrary code if other vulnerabilities are present.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-2285 involves monitoring for unauthorized access attempts to local files via the CrewAI JSON loader tool, which lacks path validation.
Since exploitation requires influencing a CrewAI agent with the Code Interpreter Tool enabled, detection can include monitoring logs for unusual or unexpected file read requests initiated by CrewAI agents.
Specific commands are not provided in the available resources, but general approaches include:
- Reviewing CrewAI agent logs for suspicious file access patterns.
- Using system tools like 'lsof' or 'auditd' on Linux to monitor file access by the CrewAI process.
- Checking Docker container logs if CrewAI is running in Docker to detect fallback to insecure sandbox modes.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2026-2285 include:
- Disabling or restricting the use of the Code Interpreter Tool within CrewAI to prevent exploitation.
- Avoid enabling the 'allow_code_execution=True' setting unless absolutely necessary.
- Sanitizing all inputs to CrewAI agents to prevent malicious prompt injection.
- Limiting agent exposure to untrusted data sources.
- Monitoring Docker availability to ensure CrewAI does not fallback to insecure sandbox modes vulnerable to exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-2285 vulnerability allows arbitrary local file read access on the server hosting CrewAI due to lack of path validation in the JSON loader tool.
This unauthorized file access could lead to credential theft or exposure of sensitive data, which may impact compliance with data protection standards and regulations such as GDPR and HIPAA.
Specifically, unauthorized access to personal or protected health information could violate confidentiality and data security requirements mandated by these regulations.
Therefore, exploitation of this vulnerability could result in non-compliance with common standards that require strict controls on data access and protection.