RAXE — Runtime AI Security Platform

1. Executive Summary

What: A server-side request forgery (SSRF) vulnerability (CVE-2026-2654, CWE-918) exists in HuggingFace smolagents versions 1.0.0 through 1.24.0, affecting the LocalPythonExecutor component — but only when developers have explicitly authorised network-capable modules such as requests via the additional_authorized_imports parameter (NVD, PoC report). Under this configuration, the executor permits arbitrary HTTP requests without URL validation or egress filtering, enabling an attacker to direct the agent to make requests to internal network services (PoC report). Default configurations without network-capable imports authorised are assessed as not exploitable through this vector (RAXE assessment, based on PoC prerequisite analysis — no explicit vendor statement confirms this).

So What: NVD assigns a CVSS v3.1 Base Score of 9.8 Critical (PR:N) (NVD). VulDB independently assigns 6.3 Medium (PR:L) — a significant divergence detailed in the Risk Rating section below. A public proof-of-concept demonstrates access to internal services, cloud metadata credential theft, and data exfiltration via out-of-band HTTP requests, all contingent on the additional_authorized_imports prerequisite (PoC report). No public fixed version has been identified at time of review; the latest version (1.24.0) remains affected (NVD). The vendor was contacted but did not respond (VulDB). The EPSS probability is 0.043% (13th percentile), indicating low predicted exploitation likelihood at time of writing (FIRST.org EPSS).

Now What: Organisations using smolagents with network-capable imports enabled in LocalPythonExecutor should implement egress filtering to block requests to RFC 1918 ranges, loopback addresses, and cloud metadata endpoints (169.254.169.254) as an immediate mitigation (RAXE assessment). Remove requests from additional_authorized_imports unless strictly required (RAXE assessment). Monitor for a patched release from HuggingFace.

2. Risk Rating

Dimension	Rating	Detail
Severity	CONTESTED -- see divergence note below	NVD: 9.8 Critical / VulDB: 6.3 Medium
Urgency	HIGH	No public fix identified at time of review; public PoC exists; no vendor response (NVD, VulDB, PoC report)
Scope	UNCHANGED (`S:U`)	Both NVD and VulDB agree on `S:U` (NVD, VulDB)
Confidence	HIGH	CVE assigned, NVD status: Analyzed, public PoC available (NVD, PoC report)
Business Impact	MEDIUM-HIGH	Confidentiality loss via SSRF to internal services; potential cloud credential theft (PoC report). Impact scope depends on deployment configuration (RAXE assessment)

CVSS Divergence Note

Public sources disagree on exploit preconditions and impact scope. NVD has completed its analysis of CVE-2026-2654 (status: Analyzed) and assigns 9.8 Critical (NVD). VulDB independently assigns 6.3 Medium (VulDB). The 3.5-point divergence reflects genuine disagreement between two completed assessments on both authentication requirements and impact scope. This publication presents both scores without correcting either source.

Source	Base Score	Severity	Full Vector	NVD Status
NVD	9.8	Critical	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`	Analyzed (NVD)
VulDB	6.3	Medium	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L`	Independent assessment (VulDB)

Key disagreements: - Privileges Required: NVD assigns PR:N (no privileges); VulDB assigns PR:L (low privilege) (NVD, VulDB) - Impact: NVD assigns High across Confidentiality, Integrity, and Availability; VulDB assigns Low across all three (NVD, VulDB)

VulDB additionally provides a CVSS v4.0 score of 5.3 Medium with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P, which includes the exploit maturity modifier E:P (Proof-of-concept) (VulDB).

Authentication language policy: NVD assigns PR:N (unauthenticated) whilst VulDB assigns PR:L (low privilege). Per the conservative PR disagreement rule, when authoritative sources disagree on authentication requirements, this publication uses the more conservative (higher-privilege) assessment. The vulnerability is therefore described as requiring low-privilege access (conservative PR rule applied). The NVD score of 9.8 is recorded in metadata as the authoritative NVD assessment.

3. Affected Products

Product	Registry	Affected Versions	Fixed Version	Source
smolagents	PyPI	1.0.0 -- 1.24.0	None identified at time of review	NVD

NO PUBLIC FIXED VERSION IDENTIFIED. As of 2026-03-11, no patched version of smolagents has been identified. The latest published version on PyPI is 1.24.0, which remains affected per the NVD entry (NVD). The vendor (HuggingFace) has not responded to the disclosure (VulDB). Organisations cannot remediate by upgrading and must implement network-layer mitigations described in Section 10. Confirm the fix status on PyPI immediately before acting on this advisory.

Am I Affected?

Check if smolagents is installed: pip show smolagents or pip3 show smolagents
Any version from 1.0.0 through 1.24.0 (inclusive) is affected (NVD)
Check if requests or other network-capable modules appear in your additional_authorized_imports configuration -- exploitation requires this parameter to include a network-capable module (PoC report)
Default configurations without additional_authorized_imports set may not be exploitable (RAXE assessment, based on PoC prerequisite analysis)

4. Abstract

CVE-2026-2654 is a configuration-dependent server-side request forgery vulnerability in HuggingFace's smolagents library, an AI agent framework that enables LLM-powered agents to execute tool-use code within a LocalPythonExecutor sandbox. Exploitation requires that deployers have explicitly authorised network-capable modules (such as requests) via the additional_authorized_imports parameter — default configurations without this setting are assessed as not exploitable through this vector (RAXE assessment, inferred from PoC prerequisites — no explicit vendor confirmation). The executor implements AST-based filtering to restrict dangerous system calls during agent code execution (PoC report). However, when network-capable modules are authorised, the executor permits arbitrary HTTP requests without URL validation or egress filtering (PoC report, NVD). This allows a low-privilege attacker to manipulate the agent into making requests to internal network endpoints, including RFC 1918 private ranges, loopback addresses, and cloud instance metadata services (PoC report). The vulnerability is classified as CWE-918 ("Server-Side Request Forgery") in the NVD entry (NVD entry, CNA-assigned by VulDB). No public fixed version has been identified as of 2026-03-11; the latest published version (1.24.0) remains affected per the NVD entry (NVD). The vendor (HuggingFace) has not responded to the disclosure (VulDB).

5. Key Findings

Unrestricted egress from agent code executor -- The LocalPythonExecutor permits arbitrary HTTP requests via whitelisted modules (e.g., requests) without validating destination URLs or enforcing egress restrictions. The AST-based filter blocks dangerous system calls but does not inspect the targets of permitted network operations (PoC report).
Three-stage exfiltration chain demonstrated -- The public PoC describes a chain where the attacker (a) issues an SSRF request to an internal endpoint via the agent's requests.get(), (b) encodes the response using .hex() to bypass output filtering, and (c) exfiltrates the encoded data via a secondary HTTP request to an attacker-controlled server (PoC report).
Cloud metadata credential theft demonstrated -- The PoC describes directing the SSRF to cloud instance metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/iam/security-credentials/) to retrieve IAM credential material (PoC report).
Significant CVSS divergence between completed assessments -- NVD assigns 9.8 Critical (PR:N, C:H/I:H/A:H) whilst VulDB assigns 6.3 Medium (PR:L, C:L/I:L/A:L). The 3.5-point gap reflects genuine disagreement on both authentication requirements and impact scope between two completed analyses (NVD, VulDB).
No vendor response or public fix identified -- HuggingFace has not responded to the vulnerability disclosure, and no public fixed version has been identified at time of review. The latest version (1.24.0) remains affected per the NVD entry (NVD, VulDB).

6. Attack Flow

+-----------------------------+
|  1. PREREQUISITE CHECK      |  Target uses LocalPythonExecutor
|  requests in authorised     |  with requests in
|  imports                    |  additional_authorized_imports
+------------+----------------+  (PoC report)
             |
             v
+-----------------------------+
|  2. AGENT MANIPULATION      |  Attacker delivers SSRF payload:
|  Prompt injection or        |  - Prompt injection against
|  direct API access          |    deployed agent endpoint
|  (PR:L per VulDB)           |  - Direct agent API interaction
+------------+----------------+  (PoC report)
             |
             v
+-----------------------------+
|  3. SSRF TO INTERNAL HOST   |  Agent executes requests.get()
|  No URL validation          |  against internal address
|  No egress filtering        |  (e.g., http://127.0.0.1:8081/)
+------------+----------------+  (PoC report)
             |
             v
+-----------------------------+
|  4. RESPONSE ENCODING       |  Internal service response
|  .hex() encoding            |  encoded via Python .hex()
|  Bypasses output filtering  |  to evade content inspection
+------------+----------------+  (PoC report)
             |
             v
+-----------------------------+
|  5. OOB EXFILTRATION        |  Hex-encoded data appended as
|  HTTP GET to attacker       |  query parameter to outbound
|  server via requests.get()  |  request to attacker server
+------------+----------------+  (PoC report)
             |
             v
+-----------------------------+
|  6. OPTIONAL ESCALATION     |  Same mechanism directed to
|  Cloud metadata SSRF        |  169.254.169.254 to retrieve
|  IAM credential theft       |  cloud IAM credentials
+-----------------------------+  (PoC report)

7. Technical Details

Vulnerability Mechanics

The smolagents LocalPythonExecutor implements an AST-based code filter to restrict which operations LLM-generated code may perform during agent execution (PoC report). The executor exposes an additional_authorized_imports parameter that allows deployers to whitelist modules beyond the default safe set. When network-capable libraries such as requests are included in this whitelist, no URL validation or egress filtering is applied to the resulting HTTP calls (PoC report, NVD).

The vulnerability is listed under CWE-918 ("Server-Side Request Forgery") in the NVD entry (NVD). The core issue is the absence of destination validation on outbound requests made through authorised modules. The executor correctly restricts which modules can be imported but does not inspect the arguments passed to permitted functions (PoC report).

Attack Prerequisites

All of the following conditions must hold for exploitation to succeed:

#	Prerequisite	Confidence	Source
P-1	The target deployment uses `LocalPythonExecutor` (not a sandboxed alternative executor)	High	PoC report
P-2	A network-capable module (at minimum `requests`) is included in `additional_authorized_imports`	High	PoC report
P-3	The attacker can influence the prompt sent to the agent (via prompt injection against a deployed endpoint) or has direct low-privilege access to an agent API	High	PoC report
P-4	The agent execution environment has outbound network access to internal services or cloud metadata endpoints	High	RAXE assessment

CVSS Vector Decomposition

Due to the CVSS divergence, both vectors are decomposed below:

NVD (9.8 Critical — status: Analyzed):

Component	Value	Meaning	Source
`AV:N`	Network	Exploitable remotely	NVD
`AC:L`	Low	No specialised conditions	NVD
`PR:N`	None	No privileges required	NVD
`UI:N`	None	No user interaction needed	NVD
`S:U`	Unchanged	Impact within vulnerable component boundary	NVD
`C:H`	High	Complete confidentiality loss	NVD
`I:H`	High	Complete integrity loss	NVD
`A:H`	High	Complete availability loss	NVD

VulDB (6.3 Medium):

Component	Value	Meaning	Source
`AV:N`	Network	Exploitable remotely	VulDB
`AC:L`	Low	No specialised conditions	VulDB
`PR:L`	Low	Low-privilege access required	VulDB
`UI:N`	None	No user interaction needed	VulDB
`S:U`	Unchanged	Impact within vulnerable component boundary	VulDB
`C:L`	Low	Limited confidentiality loss	VulDB
`I:L`	Low	Limited integrity loss	VulDB
`A:L`	Low	Limited availability loss	VulDB

Weakness Classification

CWE-918 -- "Server-Side Request Forgery (SSRF)" (NVD)

MITRE ATLAS Mapping

Technique	ID	Relevance
AI Agent Tool Invocation	`AML.T0053`	The SSRF primitive exploits the agent's tool invocation capability -- specifically, the executor's use of `requests.get()` -- to perform network actions on behalf of the attacker. The `LocalPythonExecutor` becomes a network pivot point when configured with network-capable imports (RAXE assessment)

Exploit Prediction

The EPSS probability for CVE-2026-2654 is 0.043% (13th percentile), indicating a low predicted probability of exploitation in the wild at time of writing (FIRST.org EPSS, data date 2026-03-10). A public proof-of-concept is available but has not been independently verified by RAXE Labs (PoC report).

8. Confidence & Validation

Assessment Confidence: High

Aspect	Status	Detail
Vendor Advisory	None	HuggingFace has not responded to the disclosure (VulDB)
CVE Assigned	Yes	`CVE-2026-2654`, published 2026-02-18, NVD status: Analyzed (NVD)
PoC Available	Public	github.com/CH0ico/CVE_choco_smolagent -- not independently verified by RAXE Labs (PoC report)
Patch Available	No public fix identified	Latest version 1.24.0 remains affected per NVD entry (NVD)
Exploited in Wild	Not known	No CISA KEV listing; no public reports of active exploitation (NVD)
EPSS	`0.043%` (13th percentile)	Low predicted exploitation probability (FIRST.org EPSS)

Key Assumptions (KAC)

#	Assumption	Confidence	Basis
K1	The SSRF is only exploitable when network-capable modules are authorised in `additional_authorized_imports`	High	PoC demonstrates exploitation via `requests.get()` which must be explicitly authorised (PoC report)
K2	Exploitation requires the attacker to influence agent prompts or have direct access to agent APIs	High	PoC describes prompt injection or direct API access as prerequisites (PoC report)
K3	The vendor (HuggingFace) will eventually release a fix	Medium	No vendor response to date (VulDB); timeline unknown (RAXE assessment)
K4	No in-the-wild exploitation has occurred prior to this analysis	Medium	No KEV listing; EPSS `0.043%` suggests low exploitation activity; public PoC availability increases future risk (NVD, FIRST.org EPSS, RAXE assessment)

Diamond Model

Element	Assessment
Adversary	An attacker capable of crafting prompts to direct agent behaviour, or with low-privilege access to an agent API endpoint (PoC report, VulDB)
Capability	Low barrier for SSRF; moderate barrier for cloud credential theft. Requires knowledge of agent configuration and internal network topology (RAXE assessment)
Infrastructure	Attacker-controlled HTTP server for out-of-band data reception; access to a deployed smolagents instance (PoC report)
Victim	Organisations deploying smolagents with `requests` in `additional_authorized_imports` in environments with access to internal networks or cloud infrastructure (RAXE assessment)

9. Detection Signatures

Detection Limitations: These rules are derived from the PoC attack chain description, not from vendor telemetry. HuggingFace has not published indicators of compromise or detection guidance (VulDB). The PoC has not been independently executed in an isolated RAXE Labs environment; detection signatures are based on the conceptual attack chain (PoC report). Process identification fields may require tuning to match specific deployment naming conventions (RAXE assessment). Rule severities are set based on signal fidelity, not the contested CVSS score. See the severity cross-check table below.

Sigma Rule 1 -- smolagents Outbound Request to Internal Network (Delivery Telemetry)

Detects outbound network connections to RFC 1918 private ranges, loopback addresses, or link-local ranges from a Python process associated with smolagents (PoC report).

title: smolagents LocalPythonExecutor Outbound Request to Internal Network
id: 7a3f1c2d-4b8e-4f0a-9c6d-1e2a5b3d8f4c
status: experimental
description: >
  Detects outbound network connections to RFC 1918 private address ranges,
  loopback addresses, or link-local addresses initiated by a Python process
  associated with a smolagents deployment. This may indicate exploitation of
  CVE-2026-2654 (CWE-918, SSRF) via the LocalPythonExecutor component.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-2654
  - https://github.com/CH0ico/CVE_choco_smolagent/blob/main/report.md
  - https://vuldb.com/?id.346451
author: RAXE Labs (M. Hirani)
date: 2026-03-10
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2026.2654
  - cwe.918
logsource:
  category: network_connection
  product: windows
detection:
  selection_process:
    Image|endswith:
      - '\python.exe'
      - '\python3.exe'
      - '/python3'
      - '/python'
    CommandLine|contains:
      - 'smolagents'
  selection_destination:
    DestinationIp|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
      - '127.0.0.0/8'
      - '::1/128'
      - '169.254.0.0/16'
  condition: selection_process and selection_destination
falsepositives:
  - Legitimate agent workflows that query internal APIs as part of authorised tool use
  - Developers running smolagents locally who access local services during testing
  - Integration tests that deliberately issue internal HTTP requests
level: medium

Tuning guidance: This rule will generate false positives in any smolagents deployment where agents are intentionally authorised to query internal services. Deployers should baseline normal internal destinations and add allowlisting for expected internal API endpoints. The process name filter (CommandLine|contains: smolagents) may require adjustment to match the specific process naming convention in a given deployment (RAXE assessment).

Sigma Rule 2 -- smolagents Connection to Cloud Metadata Service (Post-Exploitation Hunting)

Detects outbound connections to cloud instance metadata service (IMDS) endpoints from a Python process associated with smolagents (PoC report). This is a high-fidelity signal because legitimate agent workloads should not query the metadata service directly (RAXE assessment).

title: smolagents Process Connecting to Cloud Metadata Service Endpoints
id: 2b8d4e6f-9a1c-4e2b-8f3d-7c5a9b1d3e5f
status: experimental
description: >
  Detects outbound HTTP connections to cloud instance metadata service (IMDS)
  endpoints from a Python process associated with smolagents. Consistent with
  post-exploitation SSRF activity as described in the PoC for CVE-2026-2654.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-2654
  - https://github.com/CH0ico/CVE_choco_smolagent/blob/main/report.md
  - https://vuldb.com/?id.346451
author: RAXE Labs (M. Hirani)
date: 2026-03-10
tags:
  - attack.credential_access
  - attack.t1552.005
  - attack.initial_access
  - attack.t1190
  - cve.2026.2654
  - cwe.918
logsource:
  category: network_connection
  product: windows
detection:
  selection_process:
    Image|endswith:
      - '\python.exe'
      - '\python3.exe'
      - '/python3'
      - '/python'
    CommandLine|contains:
      - 'smolagents'
  selection_imds:
    DestinationIp:
      - '169.254.169.254'
    DestinationPort:
      - 80
  condition: selection_process and selection_imds
falsepositives:
  - Bespoke agent tools legitimately designed to retrieve instance metadata
    (these should be extremely rare and require documented justification)
  - Security tooling that queries IMDS for host enrichment
level: high

Sigma Rule 3 -- Hex-Encoded Data Exfiltration Pattern (Hunting Rule)

Detects outbound HTTP GET requests containing a data= query parameter with a hex-string pattern, consistent with the exfiltration stage of the PoC attack chain (PoC report). Requires HTTP request-level inspection (e.g., proxy logs or WAF access logs). This rule is ineffective against HTTPS exfiltration channels (RAXE assessment).

title: smolagents Hex-Encoded Data Exfiltration via HTTP Query Parameter
id: 5c9e3a7b-2d4f-4c8a-b1e9-4f6d2c8a0b3e
status: experimental
description: >
  Detects outbound HTTP GET requests with a hex-encoded data= query parameter
  consistent with the exfiltration stage of CVE-2026-2654 exploitation.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-2654
  - https://github.com/CH0ico/CVE_choco_smolagent/blob/main/report.md
  - https://vuldb.com/?id.346451
author: RAXE Labs (M. Hirani)
date: 2026-03-10
tags:
  - attack.exfiltration
  - attack.t1048.003
  - attack.initial_access
  - attack.t1190
  - cve.2026.2654
  - cwe.918
logsource:
  category: proxy
detection:
  selection:
    cs-uri-query|re: '(?i)(^|&)data=[0-9a-f]{32,}'
  condition: selection
falsepositives:
  - Legitimate applications that encode data payloads as hex strings in query parameters
  - Security tooling that uses hex-encoded tokens for correlation
  - Developers testing encoding utilities via HTTP clients
level: medium

Tuning guidance: The regex [0-9a-f]{32,} matches any hex string of 32 or more characters. The false-positive rate depends on the application landscape. In environments where hex tokens are common (e.g., trace IDs, session tokens), deployers should increase the minimum length threshold or add a condition requiring the request to originate from a process associated with smolagents (RAXE assessment).

Severity Cross-Check Table

Rule	Level	Classification	Rationale	NVD CVSS	VulDB CVSS	Divergence Acknowledged
Rule 1 -- RFC1918 Outbound	medium	Delivery telemetry	Internal network contact has legitimate uses; requires baselining	9.8 Critical	6.3 Medium	Yes
Rule 2 -- IMDS Contact	high	Post-exploitation hunting	No legitimate agent workflow should contact cloud metadata service; high specificity	9.8 Critical	6.3 Medium	Yes
Rule 3 -- Hex Exfiltration	medium	Hunting rule	Hex-encoded query parameters have legitimate uses; requires contextual confirmation; proxy log coverage required	9.8 Critical	6.3 Medium	Yes

10. Detection & Mitigation

Immediate Actions (No Patch Available)

Implement egress filtering -- Block outbound requests from smolagents execution environments to RFC 1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback addresses (127.0.0.0/8, ::1), cloud metadata endpoints (169.254.169.254), and link-local addresses (169.254.0.0/16) at the network layer (RAXE assessment).
Remove unnecessary network modules -- Review additional_authorized_imports configurations and remove requests or other network-capable modules unless strictly required for agent functionality (RAXE assessment).
Enforce authentication on agent APIs -- Ensure all agent-facing API endpoints require authentication to raise the barrier from low-privilege to authenticated access (RAXE assessment).

Short-Term Actions (Within 1 Week)

Deploy detection rules -- Implement Sigma Rules 1--3 (above) in your SIEM or NDR platform. Begin with Rule 2 (IMDS contact) for highest-fidelity detection with lowest false-positive risk (RAXE assessment).
Implement IMDSv2 -- If running smolagents in AWS environments, enforce IMDSv2 (token-based) to mitigate the SSRF-to-IMDS escalation path. IMDSv2 requires a PUT request with a hop limit, which complicates SSRF exploitation of the metadata service (RAXE assessment).
Implement URL validation -- If extending the smolagents codebase is feasible, add URL validation callbacks within the executor to block requests to private address ranges before they are sent (PoC report).

Strategic Recommendations

Audit all AI agent code execution environments -- Any framework that allows LLM-generated code to make network requests is potentially susceptible to the same class of SSRF vulnerability. Review egress controls in all agent execution sandboxes (RAXE assessment).
Monitor for vendor patch -- Track HuggingFace's smolagents repository and PyPI page for a patched release. Given the absence of vendor response, consider filing a public issue or contacting HuggingFace security directly (RAXE assessment).

11. Indicators of Compromise

Type	Indicator	Context
Behavioural	Outbound HTTP request from smolagents process to `RFC 1918` / loopback / link-local address	SSRF exploitation -- agent directed to contact internal service (PoC report)
Behavioural	Outbound HTTP request from smolagents process to `169.254.169.254`	Cloud metadata SSRF -- agent directed to retrieve IAM credentials (PoC report)
Network	Outbound HTTP GET with `data=` query parameter containing hex-encoded string (32+ characters)	OOB exfiltration -- internal service response encoded and sent to attacker server (PoC report)
Network	Two sequential outbound HTTP requests from smolagents process: first to internal address, second to external address	Complete exfiltration chain -- SSRF followed by out-of-band data transfer (RAXE assessment)

Note: All indicators are behavioural heuristics derived from the PoC attack chain description. No vendor-supplied indicators of compromise are available (VulDB). These should be treated as hunting signals, not confirmed IOCs (RAXE assessment).

12. Strategic Context

CVE-2026-2654 illustrates a recurring pattern in AI agent security: the tension between utility and security in code execution sandboxes. The smolagents LocalPythonExecutor was designed to safely execute LLM-generated code, but the addition of network-capable modules through additional_authorized_imports transforms it from a code sandbox into a network pivot point (RAXE assessment).

AI agent frameworks increasingly require network access. As AI agents evolve from isolated code execution to tool-use architectures that interact with external APIs, databases, and services, the boundary between permitted and dangerous network access becomes increasingly difficult to enforce. The smolagents SSRF demonstrates that import-level controls (AST filtering of module names) are insufficient when the permitted modules themselves can reach arbitrary network destinations (RAXE assessment).

SSRF is a known class, but the agent context amplifies impact. SSRF vulnerabilities are well-documented in web application security. However, in an AI agent context, the attacker does not need to craft the malicious request directly -- they can instruct the LLM to generate it through prompt manipulation. This indirect exploitation path makes traditional input validation at the HTTP layer insufficient; validation must also occur within the agent execution environment itself (RAXE assessment).

Vendor non-responsiveness increases exposure window. The absence of a vendor response or patch means that the exposure window is indefinite. Organisations cannot rely on upgrading and must implement network-layer mitigations. This pattern of delayed vendor engagement with security disclosures in AI/ML library ecosystems has been observed across multiple findings in this research stream (RAXE assessment).

Regulatory trajectory. The EU AI Act's requirements for high-risk AI systems include provisions for cybersecurity resilience and robustness testing. Vulnerabilities like CVE-2026-2654 -- where an AI agent can be redirected to perform unintended network actions -- fall squarely within the scope of these requirements. Organisations deploying AI agents in regulated sectors should anticipate that egress controls and network isolation for agent execution environments will become compliance requirements, not optional hardening measures (RAXE assessment).

Forward outlook. As AI agent frameworks mature, the attack surface will shift from simple SSRF through authorised modules to more sophisticated manipulation of agent tool chains. The smolagents case is notable because the vulnerability arises not from a coding error in a traditional sense, but from a design decision to trust the developer's judgement on which modules are safe to authorise. Future frameworks will need to implement fine-grained capability controls -- not just module-level import filtering, but function-level and argument-level validation for network-capable operations (RAXE assessment).

13. References

CVE-2026-2654 -- NVD entry (status: Analyzed), CWE-918, published 2026-02-18 (NVD)
Public PoC -- CVE_choco_smolagent -- SSRF PoC report by CH0ico (PoC report)
VulDB Entry -- CVE-2026-2654 -- CVSS 6.3 Medium, CVSS v4.0 5.3 Medium (VulDB)
VulDB Submission -- Original disclosure submission (VulDB)
FIRST.org EPSS: CVE-2026-2654 -- 0.043% probability, 13th percentile (FIRST.org EPSS)
MITRE ATLAS: AML.T0053 -- AI Agent Tool Invocation -- Technique mapping for SSRF through agent tool invocation capability (RAXE assessment)
CWE-918 -- "Server-Side Request Forgery (SSRF)" -- Weakness classification (NVD)