CVE-2026-62240: CrewAI before 1.15.1 contains a server-side request forgery vulnerability in the validate_url function that performs one
Summary
CrewAI versions before 1.15.1 have a server-side request forgery vulnerability (SSRF, a flaw where an attacker tricks a server into making unwanted network requests) in the validate_url function. Attackers can bypass security checks by using URL redirects or DNS rebinding techniques (methods that change where a domain points to after an initial lookup) to access internal services and cloud metadata that should be blocked.
Solution / Mitigation
Upgrade to CrewAI version 1.15.1 or later. The source references a GitHub commit (5d4851eac797cafc45b726f65747fe2c9520fc42) and pull request #6331 that address this vulnerability.
Vulnerability Details
7.4(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
network
low
none
required
July 13, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-62240
First tracked: July 13, 2026 at 08:07 PM
Classified by LLM (prompt v3) · confidence: 92%