CVE-2026-2654
Published: 18 February 2026
Summary
CVE-2026-2654 is a medium-severity SSRF (CWE-918) vulnerability in Huggingface Smolagents. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-2654 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting version 1.24.0 of the Hugging Face smolagents library. The flaw impacts the requests.get and requests.post functions within the LocalPythonExecutor component, where manipulation enables SSRF. Published on 2026-02-18, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by an attacker with low privileges over the network, requiring low attack complexity and no user interaction. Successful exploitation leads to SSRF, resulting in low impacts on confidentiality, integrity, and availability.
Advisories and references, including GitHub proof-of-concept code at https://github.com/CH0ico/CVE_choco_smolagent and VulDB entries at https://vuldb.com/?ctiid.346451, detail the issue but note no vendor response despite early disclosure notification. No patches or official mitigations are available from the vendor.
The exploit has been publicly disclosed and could be used for attacks, particularly in deployments of the affected smolagents library from Hugging Face.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7648
Vulnerability details
A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made…
more
available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: huggingface
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing smolagents web/app deployment directly enables initial access via exploitation of the vulnerable application endpoint (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces information flow policies that block the unauthorized outbound requests.get/post calls from LocalPythonExecutor to attacker-supplied destinations.
Requires validation of URL inputs to requests.get/post, directly stopping the manipulation that triggers SSRF in smolagents 1.24.0.
Applies boundary rules to restrict the network destinations the vulnerable executor component can reach, limiting SSRF impact.