PT-2026-57904 · Crewaiinc · Crewai
George Chen
·
Published
2026-07-13
·
Updated
2026-07-13
·
CVE-2026-62240
CVSS v3.1
7.4
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N |
CrewAI before 1.15.1 contains a server-side request forgery vulnerability in the validate url function that performs one-shot DNS resolution and blocklist checks before returning the original URL unchanged. Attackers can bypass the security filter by supplying URLs that redirect to internal addresses or use DNS rebinding techniques to access internal services and cloud metadata endpoints.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Crewai