critical severityCrewAI platform (crewai_plus deployments)

Users encounter a provisioning failure and receive an error response exposing CrewAI's internal GitHub token in JSON: {\"id\": [ProvisionID], \"repo_clone_url\":\"https://x-access-token:ghu_Ahd....\"}.

Root cause

Improper exception handling during machine provisioning failures returned full JSON payloads containing an internal high-privilege GitHub token in the repo_clone_url field without sanitization. Triggered via GET /crewai_plus/deployments/[deployment_id]/check_provision_status on error.

CrewAIGitHub tokenexception handlingsanitizationUncrewCVSS 9.2

Citations

https://noma.security/blog/uncrew-the-risk-behind-a-leaked-internal-github-token-at-crewai/