Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-2285 -- CVSS 7.5 Vulnerability Briefing

CVE-2026-2285 | CVSS 7.5 (High) | Exploit: Operational

What Is It

CVE-2026-2285 is a path traversal vulnerability in the JSON file loader component of CrewAI, the multi-agent AI framework developed by crewAI Inc., which allows an unauthenticated attacker to read arbitrary files from the host filesystem.

Technical Detail

The JSON loader in CrewAI fails to validate or sanitize user-supplied file paths before processing them, enabling an attacker to inject path traversal sequences such as ../../../etc/passwd to escape the intended working directory and access sensitive files on the underlying system. Exploitation requires no authentication and can be triggered wherever CrewAI accepts external or untrusted input for file loading operations. The direct impact is unauthorized read access to arbitrary files (MITRE T1083, T1005), which can expose credentials, configuration files, private keys, or other sensitive data that may facilitate further compromise. This vulnerability was disclosed by researcher Yarden Porat as part of a coordinated release alongside three related issues: CVE-2026-2275 (sandbox escape and RCE via ctypes), CVE-2026-2286 (SSRF via RAG search), and CVE-2026-2287 (RCE via Docker daemon fallback), collectively representing a significant attack surface in CrewAI deployments.

Exploitation Status

The exploit maturity for this vulnerability is rated Operational, meaning a functional exploit exists and is considered reliable enough for use in real-world attack scenarios. This is beyond proof-of-concept stage. CISA has not added this CVE to the Known Exploited Vulnerabilities catalog as of the date of this briefing, and no confirmed in-the-wild exploitation has been publicly reported. However, the operational maturity rating and the public disclosure of technical details by the original researcher increase the likelihood of near-term exploitation attempts.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. Given the nature of the vulnerability and the targeted sectors, organizations deploying CrewAI in AI/ML infrastructure or enterprise software environments should treat this as a credible risk regardless of attribution, particularly in deployments where CrewAI processes input from external or semi-trusted sources.

What To Do

Organizations should apply any available patch or updated release from crewAI Inc. that addresses path traversal in the JSON loader component as a high priority, given the CVSS score of 7.5 and operational exploit maturity. If a patched version is not yet available, the immediate workaround is to restrict CrewAI's access to untrusted input at the application or network boundary, enforce strict file system permissions on the user account running CrewAI to limit readable paths, and isolate CrewAI instances from sensitive host resources using containerization or sandboxing. Detection should focus on anomalous file access patterns in application logs, particularly requests containing sequences such as ../ or references to system paths like /etc/ or /proc/. Given the co-disclosed RCE vulnerabilities in the same framework, defenders should treat any unpatched CrewAI deployment exposed to untrusted input as a high-risk asset and prioritize remediation across all four related CVEs simultaneously.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →