Cyber Resilience

CVE-2026-2654

MediumPublic PoC

Published: 18 February 2026

Published
18 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 29.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2654 is a medium-severity SSRF (CWE-918) vulnerability in Huggingface Smolagents. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2654 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting version 1.24.0 of the Hugging Face smolagents library. The flaw impacts the requests.get and requests.post functions within the LocalPythonExecutor component, where manipulation enables SSRF. Published on 2026-02-18, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by an attacker with low privileges over the network, requiring low attack complexity and no user interaction. Successful exploitation leads to SSRF, resulting in low impacts on confidentiality, integrity, and availability.

Advisories and references, including GitHub proof-of-concept code at https://github.com/CH0ico/CVE_choco_smolagent and VulDB entries at https://vuldb.com/?ctiid.346451, detail the issue but note no vendor response despite early disclosure notification. No patches or official mitigations are available from the vendor.

The exploit has been publicly disclosed and could be used for attacks, particularly in deployments of the affected smolagents library from Hugging Face.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made…

more

available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: huggingface

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in public-facing smolagents web/app deployment directly enables initial access via exploitation of the vulnerable application endpoint (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-5120Same product: Huggingface Smolagents
CVE-2026-4963Same product: Huggingface Smolagents
CVE-2026-7158Shared CWE-918
CVE-2026-32871Shared CWE-918
CVE-2026-43993Shared CWE-918
CVE-2026-5633Shared CWE-918
CVE-2026-5832Shared CWE-918
CVE-2026-42260Shared CWE-918
CVE-2026-45373Shared CWE-918
CVE-2026-25874Same vendor: Huggingface

Affected Assets

huggingface
smolagents
1.0.0 — 1.24.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces information flow policies that block the unauthorized outbound requests.get/post calls from LocalPythonExecutor to attacker-supplied destinations.

prevent

Requires validation of URL inputs to requests.get/post, directly stopping the manipulation that triggers SSRF in smolagents 1.24.0.

prevent

Applies boundary rules to restrict the network destinations the vulnerable executor component can reach, limiting SSRF impact.

References