CrewAI before 1.15.1 contains a server-side request forgery vulnerability in the validate_url function that performs one-shot DNS resolution and blocklist checks before returning the original URL unchanged. Attackers can bypass the security filter by supplying URLs that redirect to internal addresses or use DNS rebinding techniques to access internal services and cloud metadata endpoints.
Metrics
Affected Vendors & Products
References
History
Tue, 14 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 13 Jul 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | CrewAI before 1.15.1 contains a server-side request forgery vulnerability in the validate_url function that performs one-shot DNS resolution and blocklist checks before returning the original URL unchanged. Attackers can bypass the security filter by supplying URLs that redirect to internal addresses or use DNS rebinding techniques to access internal services and cloud metadata endpoints. | |
| Title | CrewAI < 1.15.1 SSRF Filter Bypass via HTTP Redirect in Scrape Tools | |
| First Time appeared |
Crewai
Crewai crewai |
|
| Weaknesses | CWE-918 | |
| CPEs | cpe:2.3:a:crewai:crewai:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Crewai
Crewai crewai |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published: 2026-07-13T21:04:03.774Z
Updated: 2026-07-14T13:06:13.692Z
Reserved: 2026-07-13T16:41:09.007Z
Link: CVE-2026-62240
Updated: 2026-07-14T13:06:07.375Z
No data.
No data.