CrewAI Docker Fallback: How Nixer Detects CVE-2026-2287 CVE-2026-2287

TL;DR
CVECVE-2026-2287
CVSS9.8 Critical (CISA-ADP)
AffectedCrewAI (all versions with CodeInterpreterTool)
ImpactSilent Docker fallback → SandboxPython with unblocked ctypes → arbitrary C function calls → RCE
Fixpip install crewai>=latest (CodeInterpreterTool removed in PRs #4791, #5309)
Nixer rulenixer/agent-framework/crewai-code-interpreter-fallback

The Vulnerability

What CrewAI Is

CrewAI is an open-source Python framework for orchestrating multi-agent AI systems. The CodeInterpreterTool enables agents to execute Python 3 code inside a Docker container for safe isolation. If Docker is unavailable, it falls back to SandboxPython.

Where the Flaw Lives

File: crewai_tools/tools/code_interpreter_tool/code_interpreter_tool.py

The vulnerable code is run_code_safety():

def run_code_safety(self, code: str, libraries_used: List[str]) -> str: if self._check_docker_available(): return self.run_code_in_docker(code, libraries_used) else: return self.run_code_in_restricted_sandbox(code) # silent fallback

run_code_in_restricted_sandbox() uses SandboxPython.exec() which blocks os, sys, subprocess, etc. — but NOT ctypes.

# SandboxPython.BLOCKED_MODULES (vulnerable version): BLOCKED_MODULES = { "os", "sys", "subprocess", "shutil", "importlib", "inspect", "tempfile", "sysconfig", "builtins", # ctypes NOT blocked → arbitrary C function calls }

SandboxPython restricts Python builtins, but ctypes is not a builtin — it's a module that provides FFI to C library calls:

import ctypes libc = ctypes.CDLL(None) libc.system(b"id") # RCE — executes as host user, bypasses all Python sandboxing

Additionally, run_code_unsafe() has command injection:

def run_code_unsafe(self, code: str, libraries_used: List[str]) -> str: for library in libraries_used: os.system(f"pip install {library}") # line 378 — no sanitization

Attacker-controlled libraries_usedpip install "numpy; id #" → arbitrary shell command.

The Exploit Chain

1. Attacker injects prompt → CrewAI agent with CodeInterpreterTool 2. Docker becomes unavailable (OOM kill, crash, misconfig) OR unsafe_mode=True 3. run_code_safety() silently falls back to SandboxPython 4. Attacker crafts: import ctypes; libc = ctypes.CDLL(None); libc.system(b"id") 5. RCE on host — no Docker container, no isolation

Why Agent Frameworks Are Uniquely Exposed

CVE-2026-2287 is not a CrewAI bug — it's a category. Agent frameworks execute LLM-generated code via exec(). When the security boundary (Docker) fails, the fallback sandbox (SandboxPython) was never designed to withstand adversarial input. ctypes bypasses all Python-level sandboxing because it's a C library call, not a Python builtin.

The attack chain

Prompt injection → tool call → code execution → container fallback → RCE. Every link in the chain is exploitable.

How Nixer Detects CVE-2026-2287

Detection Rule Logic

Rule IDnixer/agent-framework/crewai-code-interpreter-fallback
SeverityCRITICAL | CVSS 9.8
CVSS9.8
Moduleagent-security

Detection logic:

Example SARIF Finding

{ "version": "2.1.0", "runs": [{ "tool": { "driver": { "name": "Nixer", "version": "1.4.2" } }, "results": [{ "ruleId": "nixer/agent-framework/crewai-code-interpreter-fallback", "level": "error", "message": { "text": "CrewAI CodeInterpreterTool Docker fallback (CVE-2026-2287, CVSS 9.8): SandboxPython does not block ctypes — arbitrary C function calls via FFI. Upgrade crewai-tools." }, "locations": [{ "physicalLocation": { "artifactLocation": { "uri": "crewai_tools/tools/code_interpreter_tool/code_interpreter_tool.py" }, "region": { "startLine": 108 } } }] }] }] }

The Fix

CodeInterpreterTool removed entirely from crewai-tools (PRs #4791, #5309). Use E2B or Modal for code execution.

Upgrade

pip install crewai>=latest pip install crewai-tools>=latest

If upgrade not possible

References

Get Nixer in Your CI Pipeline

One command. Every PR. Zero excuse.