crewAI

v1.14.6 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 6d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agents ai ai-agents aiagentframework llms

Affected surfaces

auth rce_ssrf

Summary

AI summary

Updates Bug Fixes, Refactoring, and Beta across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Prevent environment variable leakage in StdioTransport Prevent environment variable leakage in StdioTransport Source: llm_adapter@2026-05-28 Confidence: high	—
Feature
Feature	Low	Allow AgentExecutor to restore from checkpoint Allow AgentExecutor to restore from checkpoint Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Low	Enhance planning configuration and observation handling Enhance planning configuration and observation handling Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Feature	Low	Declare env_vars on DatabricksQueryTool Declare env_vars on DatabricksQueryTool Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix
Bugfix	Medium	Fix structured output leaks in tool-calling loops Fix structured output leaks in tool-calling loops Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Drop unroundtrippable callbacks and adapter state in checkpoint Drop unroundtrippable callbacks and adapter state in checkpoint Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Serialize type[BaseModel] fields as JSON schema in checkpoint Serialize type[BaseModel] fields as JSON schema in checkpoint Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Avoid orphan task_started on resume scope restore Avoid orphan task_started on resume scope restore Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Low	Correct mongodb typo to pymongo in package_dependencies Correct mongodb typo to pymongo in package_dependencies Source: llm_adapter@2026-05-28 Confidence: high	—

Full changelog

What's Changed

Features

Enhance StdioTransport to prevent environment variable leakage
Enhance planning configuration and observation handling
Declare env_vars on DatabricksQueryTool
Add Agent Control Plane docs

Bug Fixes

Fix structured output leaks in tool-calling loops
Drop unroundtrippable callbacks and adapter state in checkpoint
Serialize type[BaseModel] fields as JSON schema in checkpoint
Avoid orphan task_started on resume scope restore
Allow AgentExecutor to restore from checkpoint
Correct mongodb typo to pymongo in package_dependencies

Documentation

Add ACP (Beta) docs navigation block to Agent Control Plane pages
Remove consensual process references from processes page
Restructure checkpointing page
Document one-time admin package install step
Migrate Secrets Manager / Workload Identity from replicated-config
Remove {" "} JSX expressions breaking render

Refactoring

Move Skills Repository to experimental + CREWAI_EXPERIMENTAL gate

Contributors

@akaKuruma, @alex-clawd, @github-actions[bot], @greysonlalonde, @heitorado, @iris-clawd, @lorenzejay, @lucasgomide, @mattatcha, @thiagomoretto, @vinibrsl

Security Fixes

Enhance StdioTransport to prevent environment variable leakage

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track crewAI

Get notified when new releases ship.

About crewAI

Framework for orchestrating role-playing, autonomous AI agents. By fostering collaborative intelligence, CrewAI empowers agents to work together seamlessly, tackling complex tasks.

All releases →