CVE-2026-2285 | THREATINT

Description

CrewAI contains a arbitrary local file read vulnerability in the JSON loader tool that reads files without path validation, enabling access to files on the server.

PUBLISHED Reserved 2026-02-10 | Published 2026-03-30 | Updated 2026-04-01 | Assigner certcc

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

1.0

affected

References

www.kb.cert.org/vuls/id/221883

cve.org (CVE-2026-2285)

nvd.nist.gov (CVE-2026-2285)

Download JSON