Login Sign Up

CVE-2026-2654

6.3 MEDIUM
SSRF

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in huggingface smolagents 1.24.0. Attackers can exploit the LocalPythonExecutor component to make unauthorized requests from the vulnerable server, potentially accessing internal systems. Organizations using smolagents 1.24.0 with internet-facing deployments are at risk.

💻 Affected Systems

Products:
  • huggingface smolagents
Versions: 1.24.0
Operating Systems: all
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the LocalPythonExecutor component when using requests.get/requests.post functions.

📦 What is this software?

Smolagents by Huggingface

View all CVEs affecting Smolagents →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of internal network resources, data exfiltration, and lateral movement to other systems via the vulnerable server as a pivot point.

🟠

Likely Case

Unauthorized access to internal HTTP services, metadata services (like AWS/Azure instance metadata), or internal APIs accessible from the vulnerable server.

🟢

If Mitigated

Limited impact with proper network segmentation, egress filtering, and request validation in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept available on GitHub. Remote exploitation possible without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: unknown

Vendor Advisory: none

Restart Required: No

Instructions:

No official patch available. Vendor did not respond to disclosure. Consider workarounds or alternative solutions.

🔧 Temporary Workarounds

Input Validation and URL Whitelisting

all

Implement strict validation of URLs passed to LocalPythonExecutor, allowing only trusted domains.

Network Egress Filtering

all

Configure firewall rules to restrict outbound connections from the smolagents server to only necessary destinations.

🧯 If You Can't Patch

  • Isolate the vulnerable system in a restricted network segment with limited outbound access.
  • Implement web application firewall (WAF) rules to detect and block SSRF patterns in requests.

🔍 How to Verify

Check if Vulnerable:

Check if smolagents version is 1.24.0 and if LocalPythonExecutor is configured to accept external URL inputs.

Check Version:

pip show smolagents | grep Version

Verify Fix Applied:

Test if URL validation prevents requests to internal or unauthorized external addresses.

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from smolagents process to internal IP ranges or metadata services

Network Indicators:

  • HTTP requests from smolagents server to unexpected internal destinations or cloud metadata endpoints

SIEM Query:

source="smolagents" AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16 OR dest_ip=169.254.169.254)

📊 Metadata

CVE ID: CVE-2026-2654
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-918
Published: February 18, 2026
Last Updated: February 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2654, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)