CVE-2026-4963 — MEDIUM (CVSS 6.3) AI Security Vulnerability

CISO Take

HuggingFace smolagents 1.25.0.dev0 contains an incomplete fix for CVE-2025-9959, allowing remote code injection through the LocalPythonExecutor component. Any deployment using smolagents' CodeAgent is at risk — an attacker can escape the restricted Python sandbox and execute arbitrary code on the host system. Upgrade immediately once a complete patch is released, or isolate agent workloads in containers with no access to credentials or sensitive data.

Severity & Risk

CVSS 3.1

6.3 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Monitor HuggingFace smolagents repository for a complete fix; pin to that version immediately upon release. 2. WORKAROUND: Replace LocalPythonExecutor with an isolated sandbox — use E2B (e2b.dev), Docker with no-new-privileges and dropped capabilities, or similar. 3. HARDEN: Run smolagents processes with minimal permissions — no cloud credential access, no write access to sensitive paths, network egress restricted. 4. DETECT: Alert on subprocess spawning, unusual outbound network connections, or file access outside expected working directories from smolagents processes. 5. AUDIT: If running CVE-2025-9959-patched versions, assume the sandbox bypass is achievable and review agent access controls accordingly.

Classification

Code Execution Supply Chain Agent Framework AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.1 - AI System Risk Management

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI risk management

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Technical Details

NVD Description

A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluate_augassign/evaluate_call/evaluate_with of the file src/smolagents/local_python_executor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An adversary targets a developer tool, internal AI assistant, or automation platform built on smolagents. They submit a crafted task containing Python code that uses augmented assignment operators or specific call patterns (e.g., __class__.__mro__ traversal via evaluate_augassign/evaluate_call chains) that bypass the incomplete sandbox restrictions. The LocalPythonExecutor evaluates the payload while believing it is safe. The attacker achieves arbitrary code execution on the host, immediately reading HUGGING_FACE_HUB_TOKEN, AWS_SECRET_ACCESS_KEY, or other credentials from environment variables. With cloud credentials in hand, they pivot to exfiltrate models, training data, or customer data stored in connected cloud storage — all triggered through a seemingly legitimate agent task submission.

Weaknesses (CWE)

CWE-74 Primary CWE-94 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

References

Timeline

Published

March 27, 2026

Last Modified

March 27, 2026

First Seen

March 27, 2026