Primary

Context

CrewAI Arbitrary Local File Read Vulnerability in JSON Loader Tool

Vulnerability

An arbitrary local file read vulnerability has been identified in CrewAI's JSON loader tool. This vulnerability arises because the tool reads files without proper path validation, allowing access to files on the server. The issue is part of a broader set of vulnerabilities in CrewAI, including remote code execution and server-side request forgery.

Impact

Exploitation of this vulnerability allows for arbitrary file read, which could lead to unauthorized access to sensitive files on the server.

Remediation

Users are advised to remove or restrict the Code Interpreter Tool wherever possible and to monitor Docker availability to prevent fallback to insecure sandbox modes.

Added: Mar 30, 2026, 4:31 PM

Updated: Mar 30, 2026, 4:31 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.0

remediation

0.0

relevance

4.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.0

remediation

0.0

relevance

4.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

CrewAI Arbitrary Local File Read Vulnerability in JSON Loader Tool

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating