CrewAI before 1.15.1 contains a server-side request forgery vulnerability in the validate_url function that performs one-shot DNS resolution and blocklist checks before returning the original URL unchanged. Attackers can bypass the security filter by supplying URLs that redirect to internal addresses or use DNS rebinding techniques to access internal services and cloud metadata endpoints.
Metrics
Affected Vendors & Products
References
History
Mon, 13 Jul 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | CrewAI before 1.15.1 contains a server-side request forgery vulnerability in the validate_url function that performs one-shot DNS resolution and blocklist checks before returning the original URL unchanged. Attackers can bypass the security filter by supplying URLs that redirect to internal addresses or use DNS rebinding techniques to access internal services and cloud metadata endpoints. | |
| Title | CrewAI < 1.15.1 SSRF Filter Bypass via HTTP Redirect in Scrape Tools | |
| First Time appeared |
Crewai
Crewai crewai |
|
| Weaknesses | CWE-918 | |
| CPEs | cpe:2.3:a:crewai:crewai:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Crewai
Crewai crewai |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-13T21:04:03.774Z
Reserved: 2026-07-13T16:41:09.007Z
Link: CVE-2026-62240
No data.
No data.
No data.
OpenCVE Enrichment
No data.