Description
The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling.
Published: 2026-03-30
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

CrewAI’s CodeInterpreter tool has a flaw where it falls back to a sandboxed Python execution environment instead of using Docker when Docker is unavailable. This fallback permits the execution of arbitrary C functions, effectively enabling remote code execution. The weakness lies in improper restriction of operations, allowing an attacker to run code beyond intended boundaries.

Affected Systems

The vulnerability affects the CrewAI CodeInterpreter component. No specific version details are provided; all installations of the CodeInterpreter tool without patches are potentially vulnerable.

Risk and Exploitability

Because the flaw can be triggered by any user of the affected application, the risk is significant. The CVSS score is not publicly disclosed, and EPSS data is missing, but remote code execution generally carries high severity. The vulnerability is not listed in the CISA KEV catalog, yet the lack of a CVSS score does not lessen the potential for exploitation. Attackers could likely exploit the vulnerability by using normal interaction with the CodeInterpreter endpoint, as the fallback is automatic when Docker is unreachable.

Generated by OpenCVE AI on March 30, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest CrewAI updates that address the CodeInterpreter fallback issue.
  • If an update is pending, restrict access to the CodeInterpreter service to trusted users.
  • Configure the application to permanently disable the Docker fallback or force Docker usage.
  • Monitor logs for any anomalous invocation of C functions via the CodeInterpreter tool.

Generated by OpenCVE AI on March 30, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Crewai
Crewai crewai
Vendors & Products Crewai
Crewai crewai

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-749
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
CWE-94

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling.
Title CVE-2026-2275
References

Subscriptions

Crewai Crewai
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-03-31T17:53:04.735Z

Reserved: 2026-02-10T12:06:47.960Z

Link: CVE-2026-2275

cve-icon Vulnrichment

Updated: 2026-03-31T17:50:49.435Z

cve-icon NVD

Status : Received

Published: 2026-03-30T16:16:04.557

Modified: 2026-03-31T18:16:46.573

Link: CVE-2026-2275

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:40:50Z

Weaknesses