{"data":{"id":"fe432996-a4e2-4b63-be41-d035264d35bb","title":"CVE-2026-2285: CrewAI contains a arbitrary local file read vulnerability in the JSON loader tool that reads files without path validati","summary":"CrewAI has a vulnerability where its JSON loader tool reads files without checking file paths, allowing attackers to access any file on the server. This is called arbitrary local file read, and it happens because the tool doesn't validate (check) which files users are allowed to access.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-2285","publishedAt":"2026-03-30T16:16:04.670Z","cveId":"CVE-2026-2285","cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"medium","attackType":["data_extraction"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["CrewAI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-03-30T16:16:04.670Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}