CrewAI Vulnerabilities Enable Sandbox Bypass Attacks

CrewAI, a popular framework for orchestrating multi-agent AI systems, has been found vulnerable to a chain of critical security flaws that could allow attackers to break out of sandboxed environments and take full control of host machines. The vulnerabilities were identified by security researcher Yarden Porat of Cyata, who uncovered four major issues that expose systems to remote code execution (RCE), server-side request forgery (SSRF), and unauthorized local file access. These flaws can be exploited through prompt injection attacks, where malicious inputs manipulate AI agents into performing unintended and potentially harmful actions.

Multiple critical vulnerabilities have been identified that expose serious security gaps in AI-driven systems. One flaw allows the Code Interpreter tool to quietly switch to an insecure SandboxPython environment when Docker is unavailable, enabling attackers to execute arbitrary C functions through ctypes. Another issue involves a server-side request forgery (SSRF) weakness in RAG search tools, caused by insufficient URL validation, which can be exploited to access internal systems and cloud metadata. Additionally, CrewAI fails to continuously monitor Docker availability during runtime, meaning if Docker stops mid-session, the system automatically falls back to an unsafe sandbox environment susceptible to remote code execution (RCE). Finally, a vulnerability in the JSON loader tool lacks proper file path validation, allowing attackers to access sensitive files directly from the server’s filesystem.

The attack typically begins with prompt injection, allowing an adversary to hijack an AI agent’s behavior. If the Code Interpreter Tool is enabled, attackers can escalate their access depending on the system’s configuration. In Docker-enabled environments, attackers may achieve sandbox escape. In less secure or misconfigured setups, the vulnerabilities could lead to full remote code execution, granting complete control over the host system. Beyond initial compromise, attackers may also steal credentials and move laterally across networks, amplifying the potential damage.

At present, there is no comprehensive patch addressing all four vulnerabilities. The vendor has acknowledged the issues and is working on fixes, including blocking unsafe modules like types and enforcing fail-secure mechanisms instead of reverting to insecure sandbox modes.

In the meantime, security teams are urged to take immediate action:

Disable the Code Interpreter Tool unless absolutely necessary
Sanitize all untrusted inputs to prevent prompt injection
Closely monitor Docker availability to avoid insecure fallback behavior

Organizations using CrewAI in production environments are advised to treat these vulnerabilities as critical and implement mitigations without delay while awaiting official patches. The discovery highlights the growing security challenges associated with AI-driven systems, particularly as they become more autonomous and deeply integrated into enterprise workflows.