CVE-2026-2286: CrewAI contains a server-side request forgery vulnerability that enables content acquisition from internal and cloud ser
Summary
CrewAI contains a server-side request forgery vulnerability (SSRF, where an attacker tricks a server into making unwanted requests to other systems) that allows attackers to access content from internal and cloud services. The vulnerability exists because the RAG search tools (a feature that retrieves external documents to help answer questions) do not properly validate URLs that users provide at runtime.
Vulnerability Details
EPSS: 0.0%
March 30, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-2286
First tracked: March 30, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 85%