CrewAI Docker Fallback: How Nixer Detects CVE-2026-2287 CVE-2026-2287
The Vulnerability
What CrewAI Is
CrewAI is an open-source Python framework for orchestrating multi-agent AI systems. The CodeInterpreterTool enables agents to execute Python 3 code inside a Docker container for safe isolation. If Docker is unavailable, it falls back to SandboxPython.
Where the Flaw Lives
File: crewai_tools/tools/code_interpreter_tool/code_interpreter_tool.py
The vulnerable code is run_code_safety():
run_code_in_restricted_sandbox() uses SandboxPython.exec() which blocks os, sys, subprocess, etc. — but NOT ctypes.
SandboxPython restricts Python builtins, but ctypes is not a builtin — it's a module that provides FFI to C library calls:
Additionally, run_code_unsafe() has command injection:
Attacker-controlled libraries_used → pip install "numpy; id #" → arbitrary shell command.
The Exploit Chain
Why Agent Frameworks Are Uniquely Exposed
CVE-2026-2287 is not a CrewAI bug — it's a category. Agent frameworks execute LLM-generated code via exec(). When the security boundary (Docker) fails, the fallback sandbox (SandboxPython) was never designed to withstand adversarial input. ctypes bypasses all Python-level sandboxing because it's a C library call, not a Python builtin.
Prompt injection → tool call → code execution → container fallback → RCE. Every link in the chain is exploitable.
How Nixer Detects CVE-2026-2287
Detection Rule Logic
| Rule ID | nixer/agent-framework/crewai-code-interpreter-fallback |
| Severity | CRITICAL | CVSS 9.8 |
| CVSS | 9.8 |
| Module | agent-security |
Detection logic:
- Taint source: user input → agent prompt → tool call argument (
code,libraries_used) - Dangerous sink:
CodeInterpreterTool.run_code_safety()→run_code_in_restricted_sandbox() - Pattern:
allow_code_execution=TrueORCodeInterpreterTool()in codebase - Alert:
SandboxPython.BLOCKED_MODULESlacks'ctypes'
Example SARIF Finding
The Fix
CodeInterpreterTool removed entirely from crewai-tools (PRs #4791, #5309). Use E2B or Modal for code execution.
Upgrade
If upgrade not possible
- Remove
CodeInterpreterToolfrom all agents - Disable
allow_code_execution=True
References
Get Nixer in Your CI Pipeline
One command. Every PR. Zero excuse.