{"data":{"id":"6bfe3ce4-b788-42f4-bcd0-d8fd389820dd","title":"CVE-2026-62240: CrewAI before 1.15.1 contains a server-side request forgery vulnerability in the validate_url function that performs one","summary":"CrewAI versions before 1.15.1 have a server-side request forgery vulnerability (SSRF, a flaw where an attacker tricks a server into making unwanted network requests) in the validate_url function. Attackers can bypass security checks by using URL redirects or DNS rebinding techniques (methods that change where a domain points to after an initial lookup) to access internal services and cloud metadata that should be blocked.","solution":"Upgrade to CrewAI version 1.15.1 or later. The source references a GitHub commit (5d4851eac797cafc45b726f65747fe2c9520fc42) and pull request #6331 that address this vulnerability.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-62240","publishedAt":"2026-07-13T22:16:52.117Z","cveId":"CVE-2026-62240","cweIds":["CWE-918"],"cvssScore":"7.4","cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["CrewAI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"required","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-07-13T22:16:52.117Z","capecIds":["CAPEC-664"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":["AML.T0010"]}}