CVE-2026-2654 identifies a server-side request forgery (SSRF) vulnerability in huggingface's smolagents software, version 1.24.0. The vulnerability resides in the LocalPythonExecutor component, which utilizes Python's requests library functions (requests.get and requests.post) to perform HTTP requests. Due to insufficient input validation or sanitization, an attacker can manipulate these requests to force the server to send arbitrary HTTP requests to internal or external systems. This can lead to unauthorized access to internal network resources, bypassing firewall restrictions, or interaction with sensitive services that are not exposed externally. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The public disclosure of exploit code further elevates the threat landscape. The vendor has not issued a patch or responded to the disclosure, leaving users exposed. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). This suggests that while the vulnerability is not critical, it can still cause meaningful harm if exploited, particularly in environments where smolagents is used to execute or orchestrate network requests.

For European organizations, the SSRF vulnerability in smolagents 1.24.0 poses risks including unauthorized internal network scanning, access to sensitive internal services, and potential pivoting to other systems within the network. This can compromise confidentiality by exposing internal endpoints, integrity by enabling malicious request manipulation, and availability if exploited to cause denial-of-service conditions. Organizations using smolagents in cloud or hybrid environments may face increased risk due to the potential to access metadata services or internal APIs. The public availability of exploit code increases the likelihood of opportunistic attacks, especially against organizations slow to patch or mitigate. Given the lack of vendor response and patches, European entities relying on this software for AI or automation workflows must consider the vulnerability a significant operational risk. The impact is heightened in sectors with critical infrastructure or sensitive data, such as finance, healthcare, and government, where internal network exposure can have severe consequences.

Since no official patch or update is available from the vendor, European organizations should implement immediate compensating controls. These include restricting network egress from servers running smolagents to only trusted destinations, employing strict firewall rules and network segmentation to limit internal resource exposure, and monitoring outgoing HTTP requests for anomalous patterns indicative of SSRF exploitation. Input validation and sanitization should be enforced at the application layer if possible, to prevent malicious request manipulation. Organizations should consider deploying web application firewalls (WAFs) with SSRF detection capabilities and enable detailed logging and alerting on smolagents-related network activity. Where feasible, isolating smolagents execution environments in containers or sandboxed VMs can reduce the blast radius of a successful exploit. Finally, organizations should track vendor communications for any forthcoming patches and plan for timely updates once available.