CVE-2026-62240 PUBLISHED

CrewAI < 1.15.1 SSRF Filter Bypass via HTTP Redirect in Scrape Tools

Assigner: VulnCheck
Reserved: 13.07.2026 Published: 13.07.2026 Updated: 14.07.2026

CrewAI before 1.15.1 contains a server-side request forgery vulnerability in the validate_url function that performs one-shot DNS resolution and blocklist checks before returning the original URL unchanged. Attackers can bypass the security filter by supplying URLs that redirect to internal addresses or use DNS rebinding techniques to access internal services and cloud metadata endpoints.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
CVSS Score: 8.3

Product Status

Vendor crewAIInc
Product crewAI
Versions Default: unaffected
  • affected from 0 to 1.15.1 (excl.)

Credits

  • George Chen finder

References

Problem Types

  • Server-Side Request Forgery (SSRF) CWE