CVE-2026-2654
Published: 18 February 2026
Summary
CVE-2026-2654 is a medium-severity SSRF (CWE-918) vulnerability in Huggingface Smolagents. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as NLP and Transformers.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing smolagents web/app deployment directly enables initial access via exploitation of the vulnerable application endpoint (T1190).
NVD Description
A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made…
more
available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-2654 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting version 1.24.0 of the Hugging Face smolagents library. The flaw impacts the requests.get and requests.post functions within the LocalPythonExecutor component, where manipulation enables SSRF. Published on 2026-02-18, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by an attacker with low privileges over the network, requiring low attack complexity and no user interaction. Successful exploitation leads to SSRF, resulting in low impacts on confidentiality, integrity, and availability.
Advisories and references, including GitHub proof-of-concept code at https://github.com/CH0ico/CVE_choco_smolagent and VulDB entries at https://vuldb.com/?ctiid.346451, detail the issue but note no vendor response despite early disclosure notification. No patches or official mitigations are available from the vendor.
The exploit has been publicly disclosed and could be used for attacks, particularly in deployments of the affected smolagents library from Hugging Face.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: huggingface