Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Huggingface SmolAgents 1.24.0 Allows Remote Server-Side Request Forgery
CVE-2026-2654
Summary
The Huggingface SmolAgents version 1.24.0 has a security flaw that allows attackers to trick the system into making unauthorized network requests. This could potentially lead to malicious attacks. We recommend updating to the latest version of SmolAgents to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| huggingface | smolagents | > 1.0.0 , <= 1.24.0 | – |
Original title
A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to serve...
Original description
A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0
6.5
nvd CVSS3.1
9.8
nvd CVSS4.0
5.3
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
- https://github.com/CH0ico/CVE_choco_smolagent/blob/main/report.md#proof-of-conce... Exploit Third Party Advisory
- https://github.com/CH0ico/CVE_choco_smolagent/tree/main Third Party Advisory
- https://vuldb.com/?ctiid.346451 Third Party Advisory VDB Entry
- https://vuldb.com/?id.346451 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.752774 Third Party Advisory VDB Entry
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026