CVE-2026-4963
Received Received - Intake
Remote Code Injection in Huggingface Smolagents Local Executor

Publication date: 2026-03-27

Last updated on: 2026-04-30

Assigner: VulDB

Description
A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluate_augassign/evaluate_call/evaluate_with of the file src/smolagents/local_python_executor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4963
EUVD
EUVD-2026-16726
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
huggingface smolagents 1.25.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4963 is a critical security vulnerability in the smolagents Python package, specifically in the LocalPythonExecutor component. It is a sandbox escape vulnerability that allows remote code execution (RCE) on the host system.

The vulnerability arises from an incomplete fix for a previous issue (CVE-2025-9959). The sandbox uses an allowlist to permit certain special methods like __str__ and __repr__, assuming they are safe. However, attackers can define malicious __str__ or __repr__ methods that execute arbitrary code by manipulating internal Python objects and bypassing sandbox restrictions.

Additionally, the vulnerability exploits missing checks on dunder attributes during augmented assignment operations, allowing attackers to overwrite function bytecode and execute arbitrary commands remotely.

In summary, this vulnerability allows an attacker to escape the sandbox and run arbitrary system commands remotely by exploiting flaws in how special methods and attribute assignments are handled.

Impact Analysis

This vulnerability can have severe impacts including full sandbox escape and remote code execution on the host system running the vulnerable smolagents package.

  • Attackers can execute arbitrary system commands with the privileges of the process running LocalPythonExecutor.
  • It compromises confidentiality, integrity, and availability of the affected system.
  • The exploit is simple and concise, making it easy to trigger, including via prompt injection in language models.
  • No patched versions are currently available, so systems using affected versions remain vulnerable.
Detection Guidance

This vulnerability is a sandbox escape in the LocalPythonExecutor component of the smolagents Python package, allowing remote code execution by exploiting unvalidated __str__ and __repr__ methods or augmented assignment bypasses on dunder attributes.

Detection involves identifying if the vulnerable version of smolagents (up to 1.25.0.dev0) is in use and monitoring for suspicious activity such as unexpected execution of system commands originating from the LocalPythonExecutor sandbox.

Since the exploit involves Python code execution, you can detect attempts by monitoring logs or running commands that check for the presence of the vulnerable package version and unusual Python processes or scripts.

  • Check installed smolagents version: `pip show smolagents` or `pip list | grep smolagents`
  • Search for suspicious Python processes or commands invoking LocalPythonExecutor or unusual system commands: `ps aux | grep python` and review command arguments.
  • Monitor logs for execution of commands like `os.system()` or other system calls triggered from Python processes.
  • Use Python introspection to check if the vulnerable functions (`evaluate_augassign`, `evaluate_call`, `evaluate_with`) are present in the installed smolagents package source code.
Mitigation Strategies

Currently, no patched versions of smolagents are available to fix this vulnerability.

Immediate mitigation steps include:

  • Avoid using the vulnerable versions of smolagents (up to 1.25.0.dev0) in production or exposed environments.
  • Restrict access to systems running smolagents to trusted users only, minimizing the risk of remote exploitation.
  • Implement network-level controls such as firewalls or segmentation to prevent unauthorized remote access to the vulnerable service.
  • Monitor and audit usage of the LocalPythonExecutor component for suspicious activity or unexpected code execution.
  • Consider disabling or sandboxing the LocalPythonExecutor component if feasible until a patch is released.

Stay informed about updates from the vendor or security community for any forthcoming patches or official mitigations.

Compliance Impact

The CVE-2026-4963 vulnerability allows remote code execution and full sandbox escape in the smolagents LocalPythonExecutor component, which can lead to unauthorized access, modification, or destruction of data.

Such a vulnerability can compromise the confidentiality, integrity, and availability of sensitive data, potentially violating compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and health information.

Because the exploit enables attackers to execute arbitrary code remotely, it increases the risk of data breaches and unauthorized data manipulation, which are critical compliance concerns.

No patched versions are currently available, and the exploit is publicly known and easy to trigger, further elevating the compliance risk for organizations using affected versions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4963. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart