{"data":{"id":"d82d1b35-61fa-4993-bf83-a6605dd9cdf4","title":"CVE-2026-2286: CrewAI contains a server-side request forgery vulnerability that enables content acquisition from internal and cloud ser","summary":"CrewAI contains a server-side request forgery vulnerability (SSRF, where an attacker tricks a server into making unwanted requests to other systems) that allows attackers to access content from internal and cloud services. The vulnerability exists because the RAG search tools (a feature that retrieves external documents to help answer questions) do not properly validate URLs that users provide at runtime.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-2286","publishedAt":"2026-03-30T16:16:04.777Z","cveId":"CVE-2026-2286","cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"medium","attackType":["rag_poisoning"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["CrewAI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-03-30T16:16:04.777Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality"],"aiComponentTargeted":"rag","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":["AML.T0020","AML.T0051.001"]}}