CrewAI — Four CVEs Chain Sandbox Escape to Cloud Takeover (VU#221883)

AI relevance: CrewAI is one of the most widely deployed multi-agent orchestration frameworks, and CERT/CC's VU#221883 documents a complete kill chain where prompt injection in a RAG document or tool response leads to host-level RCE, then cloud credential theft — no LLM jailbreak required.

• CVE-2026-2275 (CVSS 8.6) — Code Interpreter tool falls back to SandboxPython when Docker is unavailable. SandboxPython does not block ctypes, so an injected prompt can call ctypes.CDLL("libc.so.6").system() for host RCE. Fires whenever allow_code_execution=True.
• CVE-2026-2287 — CrewAI does not monitor Docker availability at runtime. If Docker goes down mid-session (resource pressure, container restart, or deliberate DoS), the agent silently falls back to the unsafe sandbox instead of failing closed. An attacker who triggers even momentary Docker disruption gets an exploitation window.
• CVE-2026-2286 — RAG search tools do not validate URLs at runtime. An agent processing attacker-controlled content can be prompted to query cloud metadata endpoints (AWS IMDSv1, GCP metadata, Azure), yielding instance roles, API keys, and service account tokens — the path from host RCE to full cloud account takeover.
• CVE-2026-2285 — JSON loader reads files without path validation. A prompt injection asking the agent to load ~/.aws/credentials or /etc/shadow succeeds, and the contents are returned in the agent's response context, potentially exfiltrated via connected Slack/email integrations.
• The complete kill chain: malicious PDF in RAG corpus → prompt injection → Code Interpreter → ctypes sandbox escape → SSRF to cloud metadata → credential exfil → full account takeover. Four steps, all rated CVSS 7.5+.
• CERT/CC notes the vendor has not fully patched all four vulnerabilities. Only CVE-2026-2275 and CVE-2026-2287 have vendor statements; CVE-2026-2285 and CVE-2026-2286 remain unresolved as of the advisory date.
• This is part of a broader pattern: Lyrie Research's May 2026 analysis documents the same structural flaw across LangFlow, GPT Researcher, and LiteLLM — AI agent frameworks shipping unsafe defaults that transform prompt injection into unauthenticated shell access.

Why it matters

The threat model has shifted. Adversaries no longer need to jailbreak the LLM — they just need to talk to an agent that has the wrong tool enabled. CrewAI is used in production by thousands of teams, and the silent Docker fallback means even properly configured deployments become vulnerable under resource pressure.

What to do

• Disable allow_code_execution on CrewAI agents unless absolutely necessary; if required, enforce Docker and fail closed on container unavailability.
• Validate and sandbox all URLs passed to RAG search tools — block cloud metadata endpoints.
• Audit JSON loader file access paths; restrict to whitelisted directories only.
• Monitor CERT/CC VU#221883 for vendor patch status on the two unresolved CVEs.

Sources

• CERT/CC VU#221883 — CrewAI Multiple Vulnerabilities
• Lyrie Research — When Prompts Become Shells: The Agentic AI Framework RCE Epidemic
• Microsoft Security Blog — When Prompts Become Shells: RCE in AI Agent Frameworks