AI Threat Alert

CVE-2026-2654

CRITICAL
Published February 18, 2026
CISO Take

CVE-2026-2654 is a critical SSRF in HuggingFace smolagents 1.24.0's LocalPythonExecutor with a public exploit, no authentication required, and CVSS 9.8. If your teams run smolagents in any internet-accessible deployment, treat it as compromised until patched — this vector enables lateral movement to cloud metadata services and internal APIs. Audit all smolagents deployments immediately and enforce network egress restrictions on agent execution environments as an interim control.

Affected Systems

Package Ecosystem Vulnerable Range Patched
smolagents pip No patch

Do you use smolagents? You're affected.

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
N/A
KEV Status
Not in KEV
Sophistication
Trivial

Recommended Action

  1. 1) PATCH: No official vendor patch confirmed — monitor smolagents GitHub releases and apply update immediately on availability; vendor has not responded to disclosure. 2) ISOLATE: Run LocalPythonExecutor in network-isolated containers with egress-only allowlists restricted to required external endpoints. 3) BLOCK: Enforce network-layer blocks on access to cloud metadata addresses (169.254.169.254, 169.254.170.2, metadata.google.internal, fd00:ec2::254) from all agent execution hosts. 4) ENFORCE IMDSv2: Migrate all AWS instances hosting smolagents to IMDSv2-only to prevent metadata credential theft via SSRF. 5) MONITOR: Alert on outbound HTTP from agent processes to RFC-1918 ranges, link-local, and loopback addresses. 6) ROTATE: If exploitation is suspected, immediately rotate all cloud credentials accessible from the agent host. 7) INPUT VALIDATION: Reject or sandbox any code path that allows user-controlled URLs to reach requests.get or requests.post in the executor.

Classification

Code Execution Data Extraction Auth Bypass Agent Framework Plugin AML.T0049 AML.T0051 AML.T0053 AML.T0080 AML.T0086 AML.T0105

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2.6 - AI system security A.8.4 - Monitoring of AI system
NIST AI RMF
GOVERN 1.6 - Organizational risk policies and procedures for AI MEASURE 2.2 - Scientific and technical methods to assess AI risks
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Technical Details

NVD Description

A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An adversary targets an organization's customer-facing AI assistant built on smolagents 1.24.0. They submit a crafted query that causes LocalPythonExecutor to execute Python containing requests.get('http://169.254.169.254/latest/meta-data/iam/security-credentials/my-role'). The metadata service returns temporary AWS IAM credentials. The adversary uses these to authenticate to AWS, enumerate S3 buckets containing training data and customer PII, and pivot to other internal services. Alternatively, an attacker chains this with LLM prompt injection: a malicious document ingested by a RAG pipeline contains instructions that cause the agent LLM to generate the SSRF payload autonomously. The attack generates no IAM authentication events — only network traffic — making detection difficult without egress monitoring.

Weaknesses (CWE)

CWE-918

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
February 18, 2026
Last Modified
February 20, 2026
First Seen
February 18, 2026
Back to Threat Feed