Skip to main content
CVE Vulnerability Database

CVE-2026-4963: Huggingface Smolagents RCE Vulnerability

CVE-2026-4963 is a remote code execution flaw in Huggingface Smolagents 1.25.0.dev0 allowing code injection attacks. This post covers the technical details, affected versions, security impact, and mitigation steps.

Published:

CVE-2026-4963 Overview

A code injection vulnerability has been identified in Hugging Face smolagents version 1.25.0.dev0. This security flaw affects the functions evaluate_augassign, evaluate_call, and evaluate_with within the file src/smolagents/local_python_executor.py. The vulnerability stems from an incomplete fix for CVE-2025-9959, allowing attackers to inject and execute arbitrary code through the local Python executor component.

Critical Impact

Remote attackers can exploit this code injection vulnerability to execute arbitrary code within the smolagents environment, potentially compromising AI agent workflows and gaining unauthorized access to systems running affected smolagents deployments.

Affected Products

  • Hugging Face smolagents 1.25.0.dev0

Discovery Timeline

  • 2026-03-27 - CVE-2026-4963 published to NVD
  • 2026-03-30 - Last updated in NVD database

Technical Details for CVE-2026-4963

Vulnerability Analysis

This vulnerability represents an incomplete patch scenario where the original fix for CVE-2025-9959 failed to adequately address all code injection vectors within the local Python executor component. The local_python_executor.py file is responsible for safely evaluating Python code within the smolagents framework, which is designed to enable AI agents to execute code in controlled environments. The flawed implementation allows crafted input to bypass security controls and achieve code injection.

The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), commonly known as injection vulnerabilities. This classification indicates that the affected functions fail to properly sanitize or neutralize user-controlled input before processing it within the Python execution context.

Root Cause

The root cause lies in insufficient input validation and sanitization within the evaluate_augassign, evaluate_call, and evaluate_with functions. When the original CVE-2025-9959 was addressed, the patch did not comprehensively cover all execution paths that could be exploited for code injection. The development version (1.25.0.dev0) contains code paths where specially crafted input can escape the intended sandboxed execution environment, allowing arbitrary Python code to be executed.

Attack Vector

The attack can be initiated remotely over a network connection. An attacker targeting this vulnerability would craft malicious input designed to exploit the incomplete validation in the affected evaluation functions. When processed by the vulnerable smolagents component, this input would result in the execution of attacker-controlled code.

The exploitation flow typically involves:

  1. Identifying an application or service using the vulnerable smolagents version
  2. Crafting payload input that targets one of the affected evaluation functions
  3. Submitting the malicious input through the exposed interface
  4. Achieving code execution within the context of the smolagents process

Proof-of-concept code has been made publicly available, increasing the risk of exploitation. Technical details and exploit code can be found in the GitHub Gist PoC Code and GitHub Gist Code Snippet resources.

Detection Methods for CVE-2026-4963

Indicators of Compromise

  • Unexpected Python processes spawned by smolagents with anomalous command-line arguments
  • Unusual network connections originating from the smolagents process
  • Log entries showing execution of unexpected code patterns within the local Python executor
  • File system modifications in directories accessible by the smolagents process

Detection Strategies

  • Monitor for anomalous code execution patterns within smolagents deployments, particularly those involving the local_python_executor.py component
  • Implement application-level logging to capture and analyze inputs processed by evaluate_augassign, evaluate_call, and evaluate_with functions
  • Deploy runtime application self-protection (RASP) solutions to detect injection attempts in real-time
  • Use SentinelOne Singularity to detect behavioral indicators of code injection and post-exploitation activity

Monitoring Recommendations

  • Enable verbose logging for smolagents applications to capture potential exploitation attempts
  • Set up alerts for process creation events originating from smolagents with suspicious characteristics
  • Monitor outbound network traffic from systems running vulnerable smolagents versions
  • Implement file integrity monitoring on critical system directories accessible to the smolagents process

How to Mitigate CVE-2026-4963

Immediate Actions Required

  • Inventory all systems and applications using Hugging Face smolagents to identify vulnerable deployments
  • Consider temporarily disabling or isolating affected smolagents instances until a patch is available
  • Implement network-level controls to restrict access to systems running vulnerable smolagents versions
  • Review and restrict the permissions and capabilities available to smolagents processes

Patch Information

No official patch is currently available. The vendor was contacted about this disclosure but did not respond. Organizations should monitor the official Hugging Face smolagents repository and security advisories for updates. Additional vulnerability details are documented in VulDB #353840.

Workarounds

  • Implement input validation and sanitization at the application layer before passing data to smolagents functions
  • Deploy smolagents in isolated container environments with minimal privileges and restricted network access
  • Use application firewalls or API gateways to filter potentially malicious input patterns before they reach vulnerable components
  • Consider implementing additional sandboxing mechanisms around the local Python executor functionality
bash
# Example: Restrict smolagents process capabilities using Docker
docker run --security-opt=no-new-privileges \
  --cap-drop=ALL \
  --read-only \
  --network=none \
  your-smolagents-application

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.