CVE-2026-2654: smolagents SSRF — CRITICAL

Q: Is CVE-2026-2654 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-2654, increasing the risk of exploitation.

Q: How to fix CVE-2026-2654?

1) PATCH: No official vendor patch confirmed — monitor smolagents GitHub releases and apply update immediately on availability; vendor has not responded to disclosure. 2) ISOLATE: Run LocalPythonExecutor in network-isolated containers with egress-only allowlists restricted to required external endpoints. 3) BLOCK: Enforce network-layer blocks on access to cloud metadata addresses (169.254.169.254, 169.254.170.2, metadata.google.internal, fd00:ec2::254) from all agent execution hosts. 4) ENFORCE IMDSv2: Migrate all AWS instances hosting smolagents to IMDSv2-only to prevent metadata credential theft via SSRF. 5) MONITOR: Alert on outbound HTTP from agent processes to RFC-1918 ranges, link-local, and loopback addresses. 6) ROTATE: If exploitation is suspected, immediately rotate all cloud credentials accessible from the agent host. 7) INPUT VALIDATION: Reject or sandbox any code path that allows user-controlled URLs to reach requests.get or requests.post in the executor.

Q: What systems are affected by CVE-2026-2654?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic pipelines, multi-agent systems, LLM tool use / function calling, RAG pipelines with agent orchestration, cloud-hosted AI applications.

Q: What is the CVSS score for CVE-2026-2654?

CVE-2026-2654 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.38%.

CISO Take

CVE-2026-2654 is a critical SSRF in HuggingFace smolagents 1.24.0's LocalPythonExecutor with a public exploit, no authentication required, and CVSS 9.8. If your teams run smolagents in any internet-accessible deployment, treat it as compromised until patched — this vector enables lateral movement to cloud metadata services and internal APIs. Audit all smolagents deployments immediately and enforce network egress restrictions on agent execution environments as an interim control.

What is the risk?

Critical risk. CVSS 9.8 with a fully remote, unauthenticated, zero-interaction exploit path represents maximum exploitability. Public PoC availability means commodity-level attackers can weaponize this today without AI expertise. In AI agent deployments the blast radius is amplified: agents typically run with privileged cloud credentials and broad network access, making this a viable cloud account takeover vector via AWS IMDSv1, GCP metadata API, or internal IAM services. Patch priority: P0 — no exceptions.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
smolagents	pip	<= 1.24.0	No patch
27.9K 93 dependents Pushed 7d ago 25% patched ~10d to patch Full package profile →
smolagents	pip	—	No patch
27.9K 93 dependents Pushed 7d ago 25% patched ~10d to patch Full package profile →

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 30% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

1 step

1) PATCH: No official vendor patch confirmed — monitor smolagents GitHub releases and apply update immediately on availability; vendor has not responded to disclosure. 2) ISOLATE: Run LocalPythonExecutor in network-isolated containers with egress-only allowlists restricted to required external endpoints. 3) BLOCK: Enforce network-layer blocks on access to cloud metadata addresses (169.254.169.254, 169.254.170.2, metadata.google.internal, fd00:ec2::254) from all agent execution hosts. 4) ENFORCE IMDSv2: Migrate all AWS instances hosting smolagents to IMDSv2-only to prevent metadata credential theft via SSRF. 5) MONITOR: Alert on outbound HTTP from agent processes to RFC-1918 ranges, link-local, and loopback addresses. 6) ROTATE: If exploitation is suspected, immediately rotate all cloud credentials accessible from the agent host. 7) INPUT VALIDATION: Reject or sandbox any code path that allows user-controlled URLs to reach requests.get or requests.post in the executor.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Auth Bypass Agent Framework Plugin AML.T0049 - Exploit Public-Facing Application AML.T0051 - LLM Prompt Injection AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system security A.8.4 - Monitoring of AI system

NIST AI RMF

GOVERN 1.6 - Organizational risk policies and procedures for AI MEASURE 2.2 - Scientific and technical methods to assess AI risks

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-2654?

CVE-2026-2654 is a critical SSRF in HuggingFace smolagents 1.24.0's LocalPythonExecutor with a public exploit, no authentication required, and CVSS 9.8. If your teams run smolagents in any internet-accessible deployment, treat it as compromised until patched — this vector enables lateral movement to cloud metadata services and internal APIs. Audit all smolagents deployments immediately and enforce network egress restrictions on agent execution environments as an interim control.

Is CVE-2026-2654 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-2654, increasing the risk of exploitation.

How to fix CVE-2026-2654?

1) PATCH: No official vendor patch confirmed — monitor smolagents GitHub releases and apply update immediately on availability; vendor has not responded to disclosure. 2) ISOLATE: Run LocalPythonExecutor in network-isolated containers with egress-only allowlists restricted to required external endpoints. 3) BLOCK: Enforce network-layer blocks on access to cloud metadata addresses (169.254.169.254, 169.254.170.2, metadata.google.internal, fd00:ec2::254) from all agent execution hosts. 4) ENFORCE IMDSv2: Migrate all AWS instances hosting smolagents to IMDSv2-only to prevent metadata credential theft via SSRF. 5) MONITOR: Alert on outbound HTTP from agent processes to RFC-1918 ranges, link-local, and loopback addresses. 6) ROTATE: If exploitation is suspected, immediately rotate all cloud credentials accessible from the agent host. 7) INPUT VALIDATION: Reject or sandbox any code path that allows user-controlled URLs to reach requests.get or requests.post in the executor.

What systems are affected by CVE-2026-2654?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic pipelines, multi-agent systems, LLM tool use / function calling, RAG pipelines with agent orchestration, cloud-hosted AI applications.

What is the CVSS score for CVE-2026-2654?

CVE-2026-2654 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.38%.

What is the AI security impact?

Affected AI Architectures

agent frameworksagentic pipelinesmulti-agent systemsLLM tool use / function callingRAG pipelines with agent orchestrationcloud-hosted AI applications

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0051 LLM Prompt Injection

AML.T0053 AI Agent Tool Invocation

AML.T0080 AI Agent Context Poisoning

AML.T0086 Exfiltration via AI Agent Tool Invocation

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2.6, A.8.4

NIST AI RMF: GOVERN 1.6, MEASURE 2.2

OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An adversary targets an organization's customer-facing AI assistant built on smolagents 1.24.0. They submit a crafted query that causes LocalPythonExecutor to execute Python containing requests.get('http://169.254.169.254/latest/meta-data/iam/security-credentials/my-role'). The metadata service returns temporary AWS IAM credentials. The adversary uses these to authenticate to AWS, enumerate S3 buckets containing training data and customer PII, and pivot to other internal services. Alternatively, an attacker chains this with LLM prompt injection: a malicious document ingested by a RAG pipeline contains instructions that cause the agent LLM to generate the SSRF payload autonomously. The attack generates no IAM authentication events — only network traffic — making detection difficult without egress monitoring.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.