CVE-2026-2654 identifies a server-side request forgery vulnerability in huggingface's smolagents version 1.24.0, specifically within the LocalPythonExecutor component that utilizes Python's requests library functions (requests.get and requests.post). SSRF vulnerabilities occur when an attacker can manipulate server-side HTTP requests to arbitrary destinations, often enabling access to internal or protected network resources that are otherwise inaccessible externally. In this case, the vulnerability arises from insufficient validation or sanitization of URLs or request parameters passed to these functions, allowing an attacker to craft malicious inputs that cause the server to send unintended HTTP requests. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk profile. The vendor was notified but did not respond, and no patches or mitigations have been officially released. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The exploit could be used to scan internal networks, access metadata services in cloud environments, or interact with internal APIs, potentially leading to information disclosure or further compromise. While no known exploits are currently active in the wild, the public availability of exploit details increases the risk of future attacks. This vulnerability affects only version 1.24.0 of smolagents, a component used in AI agent orchestration by huggingface, which is widely used in AI research and production environments.

The primary impact of this SSRF vulnerability is unauthorized internal network access and potential information disclosure. Attackers exploiting this flaw can coerce the vulnerable server to send crafted HTTP requests to internal services, such as cloud metadata endpoints, internal APIs, or other protected resources, which could reveal sensitive data or enable lateral movement within the network. This can lead to compromise of confidential information, disruption of service integrity, or availability degradation if internal services are manipulated or overwhelmed. Organizations relying on huggingface smolagents 1.24.0 in cloud or enterprise environments are at risk of internal network reconnaissance and data leakage. The medium CVSS score reflects that while the vulnerability does not directly allow remote code execution or full system compromise, the SSRF can be a stepping stone for more severe attacks. The lack of vendor response and patches increases the window of exposure, raising the urgency for organizations to implement mitigations. The impact is especially significant in environments where smolagents are deployed with elevated privileges or network access to sensitive internal resources.

Since no official patch or update has been released by huggingface for smolagents 1.24.0, organizations should implement the following mitigations: 1) Restrict network egress from servers running smolagents to only trusted and necessary endpoints using firewall rules or network segmentation to limit SSRF attack surface. 2) Employ strict input validation and sanitization on any user-controllable inputs that influence requests.get or requests.post calls within LocalPythonExecutor, ensuring only safe URLs or domains are allowed. 3) Use application-layer proxies or request allowlists to prevent requests to internal IP ranges (e.g., 127.0.0.1, 10.0.0.0/8, 192.168.0.0/16) or cloud metadata service IPs. 4) Monitor logs for unusual outbound HTTP requests originating from smolagents components to detect potential exploitation attempts. 5) Consider isolating smolagents workloads in containerized or sandboxed environments with minimal network privileges. 6) Stay alert for vendor updates or community patches and apply them promptly once available. 7) If feasible, upgrade to a non-vulnerable version of smolagents once released. These targeted mitigations go beyond generic advice by focusing on network controls, input validation, and monitoring specific to the SSRF context in smolagents.