PT-2026-57904 · Crewaiinc · Crewai

George Chen

·

Published

2026-07-13

·

Updated

2026-07-13

·

CVE-2026-62240

CVSS v3.1

7.4

High

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CrewAI before 1.15.1 contains a server-side request forgery vulnerability in the validate url function that performs one-shot DNS resolution and blocklist checks before returning the original URL unchanged. Attackers can bypass the security filter by supplying URLs that redirect to internal addresses or use DNS rebinding techniques to access internal services and cloud metadata endpoints.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-62240

Affected Products

Crewai