AI Threat Alert AI Threat Alert

CVE-2026-2654: smolagents: SSRF allows internal network access

GHSA-jxgv-6j54-wwc7 CRITICAL PoC AVAILABLE CISA: TRACK*
Published February 18, 2026
CISO Take

CVE-2026-2654 is a critical SSRF in HuggingFace smolagents 1.24.0's LocalPythonExecutor with a public exploit, no authentication required, and CVSS 9.8. If your teams run smolagents in any internet-accessible deployment, treat it as compromised until patched — this vector enables lateral movement to cloud metadata services and internal APIs. Audit all smolagents deployments immediately and enforce network egress restrictions on agent execution environments as an interim control.

Risk Assessment

Critical risk. CVSS 9.8 with a fully remote, unauthenticated, zero-interaction exploit path represents maximum exploitability. Public PoC availability means commodity-level attackers can weaponize this today without AI expertise. In AI agent deployments the blast radius is amplified: agents typically run with privileged cloud credentials and broad network access, making this a viable cloud account takeover vector via AWS IMDSv1, GCP metadata API, or internal IAM services. Patch priority: P0 — no exceptions.

Affected Systems

Package Ecosystem Vulnerable Range Patched
smolagents pip <= 1.24.0 No patch
27.2K 86 dependents Pushed 15d ago 25% patched ~10d to patch Full package profile →
smolagents pip No patch
27.2K 86 dependents Pushed 15d ago 25% patched ~10d to patch Full package profile →

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 6% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

1 step

  1. 1) PATCH: No official vendor patch confirmed — monitor smolagents GitHub releases and apply update immediately on availability; vendor has not responded to disclosure. 2) ISOLATE: Run LocalPythonExecutor in network-isolated containers with egress-only allowlists restricted to required external endpoints. 3) BLOCK: Enforce network-layer blocks on access to cloud metadata addresses (169.254.169.254, 169.254.170.2, metadata.google.internal, fd00:ec2::254) from all agent execution hosts. 4) ENFORCE IMDSv2: Migrate all AWS instances hosting smolagents to IMDSv2-only to prevent metadata credential theft via SSRF. 5) MONITOR: Alert on outbound HTTP from agent processes to RFC-1918 ranges, link-local, and loopback addresses. 6) ROTATE: If exploitation is suspected, immediately rotate all cloud credentials accessible from the agent host. 7) INPUT VALIDATION: Reject or sandbox any code path that allows user-controlled URLs to reach requests.get or requests.post in the executor.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Data Extraction Auth Bypass Agent Framework Plugin AML.T0049 AML.T0051 AML.T0053 AML.T0080 AML.T0086 AML.T0105

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2.6 - AI system security A.8.4 - Monitoring of AI system
NIST AI RMF
GOVERN 1.6 - Organizational risk policies and procedures for AI MEASURE 2.2 - Scientific and technical methods to assess AI risks
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-2654?

CVE-2026-2654 is a critical SSRF in HuggingFace smolagents 1.24.0's LocalPythonExecutor with a public exploit, no authentication required, and CVSS 9.8. If your teams run smolagents in any internet-accessible deployment, treat it as compromised until patched — this vector enables lateral movement to cloud metadata services and internal APIs. Audit all smolagents deployments immediately and enforce network egress restrictions on agent execution environments as an interim control.

Is CVE-2026-2654 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-2654, increasing the risk of exploitation.

How to fix CVE-2026-2654?

1) PATCH: No official vendor patch confirmed — monitor smolagents GitHub releases and apply update immediately on availability; vendor has not responded to disclosure. 2) ISOLATE: Run LocalPythonExecutor in network-isolated containers with egress-only allowlists restricted to required external endpoints. 3) BLOCK: Enforce network-layer blocks on access to cloud metadata addresses (169.254.169.254, 169.254.170.2, metadata.google.internal, fd00:ec2::254) from all agent execution hosts. 4) ENFORCE IMDSv2: Migrate all AWS instances hosting smolagents to IMDSv2-only to prevent metadata credential theft via SSRF. 5) MONITOR: Alert on outbound HTTP from agent processes to RFC-1918 ranges, link-local, and loopback addresses. 6) ROTATE: If exploitation is suspected, immediately rotate all cloud credentials accessible from the agent host. 7) INPUT VALIDATION: Reject or sandbox any code path that allows user-controlled URLs to reach requests.get or requests.post in the executor.

What systems are affected by CVE-2026-2654?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic pipelines, multi-agent systems, LLM tool use / function calling, RAG pipelines with agent orchestration, cloud-hosted AI applications.

What is the CVSS score for CVE-2026-2654?

CVE-2026-2654 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An adversary targets an organization's customer-facing AI assistant built on smolagents 1.24.0. They submit a crafted query that causes LocalPythonExecutor to execute Python containing requests.get('http://169.254.169.254/latest/meta-data/iam/security-credentials/my-role'). The metadata service returns temporary AWS IAM credentials. The adversary uses these to authenticate to AWS, enumerate S3 buckets containing training data and customer PII, and pivot to other internal services. Alternatively, an attacker chains this with LLM prompt injection: a malicious document ingested by a RAG pipeline contains instructions that cause the agent LLM to generate the SSRF payload autonomously. The attack generates no IAM authentication events — only network traffic — making detection difficult without egress monitoring.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-918

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
February 18, 2026
Last Modified
May 7, 2026
First Seen
February 18, 2026

Related Vulnerabilities

CRITICAL CVE-2025-14931 10.0

Analysis pending

Same package: smolagents
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same package: smolagents
MEDIUM CVE-2026-4963 6.3

smolagents: code injection via incomplete sandbox fix

Same package: smolagents
MEDIUM CVE-2025-11844 5.4

smolagents: security flaw enables exploitation

Same package: smolagents
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
Back to Threat Feed