Description
CrewAI before 1.15.1 contains a server-side request forgery vulnerability in the validate_url function that performs one-shot DNS resolution and blocklist checks before returning the original URL unchanged. Attackers can bypass the security filter by supplying URLs that redirect to internal addresses or use DNS rebinding techniques to access internal services and cloud metadata endpoints.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Mon, 13 Jul 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | CrewAI before 1.15.1 contains a server-side request forgery vulnerability in the validate_url function that performs one-shot DNS resolution and blocklist checks before returning the original URL unchanged. Attackers can bypass the security filter by supplying URLs that redirect to internal addresses or use DNS rebinding techniques to access internal services and cloud metadata endpoints. | |
| Title | CrewAI < 1.15.1 SSRF Filter Bypass via HTTP Redirect in Scrape Tools | |
| First Time appeared |
Crewai
Crewai crewai |
|
| Weaknesses | CWE-918 | |
| CPEs | cpe:2.3:a:crewai:crewai:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Crewai
Crewai crewai |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-13T21:04:03.774Z
Reserved: 2026-07-13T16:41:09.007Z
Link: CVE-2026-62240
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-918
Server-Side Request Forgery (SSRF)