A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
References
| Link | Resource |
|---|---|
| https://github.com/CH0ico/CVE_choco_smolagent/blob/main/report.md#proof-of-concept-execution | Exploit Third Party Advisory |
| https://github.com/CH0ico/CVE_choco_smolagent/tree/main | Third Party Advisory |
| https://vuldb.com/?ctiid.346451 | Third Party Advisory VDB Entry |
| https://vuldb.com/?id.346451 | Third Party Advisory VDB Entry |
| https://vuldb.com/?submit.752774 | Third Party Advisory VDB Entry |
Configurations
History
20 Feb 2026, 20:51
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Huggingface
Huggingface smolagents |
|
| References | () https://github.com/CH0ico/CVE_choco_smolagent/blob/main/report.md#proof-of-concept-execution - Exploit, Third Party Advisory | |
| References | () https://github.com/CH0ico/CVE_choco_smolagent/tree/main - Third Party Advisory | |
| References | () https://vuldb.com/?ctiid.346451 - Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/?id.346451 - Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/?submit.752774 - Third Party Advisory, VDB Entry | |
| CPE | cpe:2.3:a:huggingface:smolagents:*:*:*:*:*:*:*:* |
18 Feb 2026, 14:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-02-18 14:16
Updated : 2026-02-20 20:51
NVD link : CVE-2026-2654
Mitre link : CVE-2026-2654
CVE.ORG link : CVE-2026-2654
JSON object : View
Products Affected
huggingface
- smolagents
CWE
CWE-918
Server-Side Request Forgery (SSRF)