CVE-2026-4963: smolagents: code injection via incomplete sandbox fix

GHSA-54fq-v6x8-244g MEDIUM CISA: TRACK*
Published March 27, 2026
CISO Take

HuggingFace smolagents 1.25.0.dev0 contains an incomplete fix for CVE-2025-9959, allowing remote code injection through the LocalPythonExecutor component. Any deployment using smolagents' CodeAgent is at risk — an attacker can escape the restricted Python sandbox and execute arbitrary code on the host system. Upgrade immediately once a complete patch is released, or isolate agent workloads in containers with no access to credentials or sensitive data.

What is the risk?

CVSS 6.3 (Medium) understates operational risk in AI agent deployments. The combination of network attack vector, low complexity, and no required privileges makes exploitation straightforward — only user interaction is needed, which is trivially achievable through task submission to any agent interface. Public exploit code is already available. The incomplete-fix pattern is particularly dangerous: defenders who believe they patched CVE-2025-9959 remain exposed. In production agent pipelines with access to cloud credentials, APIs, or internal systems, effective impact reaches Critical.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
smolagents pip <= 1.25.0.dev0 No patch
28.1K 93 dependents Pushed 10d ago 25% patched ~10d to patch Full package profile →

Do you use smolagents? You're affected.

How severe is it?

CVSS 3.1
6.3 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 43% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C Low
I Low
A Low

What should I do?

5 steps
  1. PATCH

    Monitor HuggingFace smolagents repository for a complete fix; pin to that version immediately upon release.

  2. WORKAROUND

    Replace LocalPythonExecutor with an isolated sandbox — use E2B (e2b.dev), Docker with no-new-privileges and dropped capabilities, or similar.

  3. HARDEN

    Run smolagents processes with minimal permissions — no cloud credential access, no write access to sensitive paths, network egress restricted.

  4. DETECT

    Alert on subprocess spawning, unusual outbound network connections, or file access outside expected working directories from smolagents processes.

  5. AUDIT

    If running CVE-2025-9959-patched versions, assume the sandbox bypass is achievable and review agent access controls accordingly.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.1 - AI System Risk Management
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain AI risk management
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-4963?

HuggingFace smolagents 1.25.0.dev0 contains an incomplete fix for CVE-2025-9959, allowing remote code injection through the LocalPythonExecutor component. Any deployment using smolagents' CodeAgent is at risk — an attacker can escape the restricted Python sandbox and execute arbitrary code on the host system. Upgrade immediately once a complete patch is released, or isolate agent workloads in containers with no access to credentials or sensitive data.

Is CVE-2026-4963 actively exploited?

No confirmed active exploitation of CVE-2026-4963 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-4963?

1. PATCH: Monitor HuggingFace smolagents repository for a complete fix; pin to that version immediately upon release. 2. WORKAROUND: Replace LocalPythonExecutor with an isolated sandbox — use E2B (e2b.dev), Docker with no-new-privileges and dropped capabilities, or similar. 3. HARDEN: Run smolagents processes with minimal permissions — no cloud credential access, no write access to sensitive paths, network egress restricted. 4. DETECT: Alert on subprocess spawning, unusual outbound network connections, or file access outside expected working directories from smolagents processes. 5. AUDIT: If running CVE-2025-9959-patched versions, assume the sandbox bypass is achievable and review agent access controls accordingly.

What systems are affected by CVE-2026-4963?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM-powered automation pipelines, code execution sandboxes, AI development environments.

What is the CVSS score for CVE-2026-4963?

CVE-2026-4963 has a CVSS v3.1 base score of 6.3 (MEDIUM). The EPSS exploitation probability is 0.57%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM-powered automation pipelinescode execution sandboxesAI development environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.10.1
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluate_augassign/evaluate_call/evaluate_with of the file src/smolagents/local_python_executor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An adversary targets a developer tool, internal AI assistant, or automation platform built on smolagents. They submit a crafted task containing Python code that uses augmented assignment operators or specific call patterns (e.g., __class__.__mro__ traversal via evaluate_augassign/evaluate_call chains) that bypass the incomplete sandbox restrictions. The LocalPythonExecutor evaluates the payload while believing it is safe. The attacker achieves arbitrary code execution on the host, immediately reading HUGGING_FACE_HUB_TOKEN, AWS_SECRET_ACCESS_KEY, or other credentials from environment variables. With cloud credentials in hand, they pivot to exfiltrate models, training data, or customer data stored in connected cloud storage — all triggered through a seemingly legitimate agent task submission.

Weaknesses (CWE)

CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'): The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

  • [Requirements] Programming languages and supporting technologies might be chosen which are not subject to these issues.
  • [Implementation] Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Timeline

Published
March 27, 2026
Last Modified
May 6, 2026
First Seen
March 27, 2026

Related Vulnerabilities