CVE-2026-4963 Overview
A code injection vulnerability has been identified in Hugging Face smolagents version 1.25.0.dev0. This security flaw affects the functions evaluate_augassign, evaluate_call, and evaluate_with within the file src/smolagents/local_python_executor.py. The vulnerability stems from an incomplete fix for CVE-2025-9959, allowing attackers to inject and execute arbitrary code through the local Python executor component.
Critical Impact
Remote attackers can exploit this code injection vulnerability to execute arbitrary code within the smolagents environment, potentially compromising AI agent workflows and gaining unauthorized access to systems running affected smolagents deployments.
Affected Products
- Hugging Face smolagents 1.25.0.dev0
Discovery Timeline
- 2026-03-27 - CVE-2026-4963 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-4963
Vulnerability Analysis
This vulnerability represents an incomplete patch scenario where the original fix for CVE-2025-9959 failed to adequately address all code injection vectors within the local Python executor component. The local_python_executor.py file is responsible for safely evaluating Python code within the smolagents framework, which is designed to enable AI agents to execute code in controlled environments. The flawed implementation allows crafted input to bypass security controls and achieve code injection.
The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), commonly known as injection vulnerabilities. This classification indicates that the affected functions fail to properly sanitize or neutralize user-controlled input before processing it within the Python execution context.
Root Cause
The root cause lies in insufficient input validation and sanitization within the evaluate_augassign, evaluate_call, and evaluate_with functions. When the original CVE-2025-9959 was addressed, the patch did not comprehensively cover all execution paths that could be exploited for code injection. The development version (1.25.0.dev0) contains code paths where specially crafted input can escape the intended sandboxed execution environment, allowing arbitrary Python code to be executed.
Attack Vector
The attack can be initiated remotely over a network connection. An attacker targeting this vulnerability would craft malicious input designed to exploit the incomplete validation in the affected evaluation functions. When processed by the vulnerable smolagents component, this input would result in the execution of attacker-controlled code.
The exploitation flow typically involves:
- Identifying an application or service using the vulnerable smolagents version
- Crafting payload input that targets one of the affected evaluation functions
- Submitting the malicious input through the exposed interface
- Achieving code execution within the context of the smolagents process
Proof-of-concept code has been made publicly available, increasing the risk of exploitation. Technical details and exploit code can be found in the GitHub Gist PoC Code and GitHub Gist Code Snippet resources.
Detection Methods for CVE-2026-4963
Indicators of Compromise
- Unexpected Python processes spawned by smolagents with anomalous command-line arguments
- Unusual network connections originating from the smolagents process
- Log entries showing execution of unexpected code patterns within the local Python executor
- File system modifications in directories accessible by the smolagents process
Detection Strategies
- Monitor for anomalous code execution patterns within smolagents deployments, particularly those involving the local_python_executor.py component
- Implement application-level logging to capture and analyze inputs processed by evaluate_augassign, evaluate_call, and evaluate_with functions
- Deploy runtime application self-protection (RASP) solutions to detect injection attempts in real-time
- Use SentinelOne Singularity to detect behavioral indicators of code injection and post-exploitation activity
Monitoring Recommendations
- Enable verbose logging for smolagents applications to capture potential exploitation attempts
- Set up alerts for process creation events originating from smolagents with suspicious characteristics
- Monitor outbound network traffic from systems running vulnerable smolagents versions
- Implement file integrity monitoring on critical system directories accessible to the smolagents process
How to Mitigate CVE-2026-4963
Immediate Actions Required
- Inventory all systems and applications using Hugging Face smolagents to identify vulnerable deployments
- Consider temporarily disabling or isolating affected smolagents instances until a patch is available
- Implement network-level controls to restrict access to systems running vulnerable smolagents versions
- Review and restrict the permissions and capabilities available to smolagents processes
Patch Information
No official patch is currently available. The vendor was contacted about this disclosure but did not respond. Organizations should monitor the official Hugging Face smolagents repository and security advisories for updates. Additional vulnerability details are documented in VulDB #353840.
Workarounds
- Implement input validation and sanitization at the application layer before passing data to smolagents functions
- Deploy smolagents in isolated container environments with minimal privileges and restricted network access
- Use application firewalls or API gateways to filter potentially malicious input patterns before they reach vulnerable components
- Consider implementing additional sandboxing mechanisms around the local Python executor functionality
# Example: Restrict smolagents process capabilities using Docker
docker run --security-opt=no-new-privileges \
--cap-drop=ALL \
--read-only \
--network=none \
your-smolagents-application
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
