CVE-2026-4963
Remote Code Injection in Huggingface Smolagents Local Executor
Publication date: 2026-03-27
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| huggingface | smolagents | 1.25.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4963 is a critical security vulnerability in the smolagents Python package, specifically in the LocalPythonExecutor component. It is a sandbox escape vulnerability that allows remote code execution (RCE) on the host system.
The vulnerability arises from an incomplete fix for a previous issue (CVE-2025-9959). The sandbox uses an allowlist to permit certain special methods like __str__ and __repr__, assuming they are safe. However, attackers can define malicious __str__ or __repr__ methods that execute arbitrary code by manipulating internal Python objects and bypassing sandbox restrictions.
Additionally, the vulnerability exploits missing checks on dunder attributes during augmented assignment operations, allowing attackers to overwrite function bytecode and execute arbitrary commands remotely.
In summary, this vulnerability allows an attacker to escape the sandbox and run arbitrary system commands remotely by exploiting flaws in how special methods and attribute assignments are handled.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full sandbox escape and remote code execution on the host system running the vulnerable smolagents package.
- Attackers can execute arbitrary system commands with the privileges of the process running LocalPythonExecutor.
- It compromises confidentiality, integrity, and availability of the affected system.
- The exploit is simple and concise, making it easy to trigger, including via prompt injection in language models.
- No patched versions are currently available, so systems using affected versions remain vulnerable.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a sandbox escape in the LocalPythonExecutor component of the smolagents Python package, allowing remote code execution by exploiting unvalidated __str__ and __repr__ methods or augmented assignment bypasses on dunder attributes.
Detection involves identifying if the vulnerable version of smolagents (up to 1.25.0.dev0) is in use and monitoring for suspicious activity such as unexpected execution of system commands originating from the LocalPythonExecutor sandbox.
Since the exploit involves Python code execution, you can detect attempts by monitoring logs or running commands that check for the presence of the vulnerable package version and unusual Python processes or scripts.
- Check installed smolagents version: `pip show smolagents` or `pip list | grep smolagents`
- Search for suspicious Python processes or commands invoking LocalPythonExecutor or unusual system commands: `ps aux | grep python` and review command arguments.
- Monitor logs for execution of commands like `os.system()` or other system calls triggered from Python processes.
- Use Python introspection to check if the vulnerable functions (`evaluate_augassign`, `evaluate_call`, `evaluate_with`) are present in the installed smolagents package source code.
What immediate steps should I take to mitigate this vulnerability?
Currently, no patched versions of smolagents are available to fix this vulnerability.
Immediate mitigation steps include:
- Avoid using the vulnerable versions of smolagents (up to 1.25.0.dev0) in production or exposed environments.
- Restrict access to systems running smolagents to trusted users only, minimizing the risk of remote exploitation.
- Implement network-level controls such as firewalls or segmentation to prevent unauthorized remote access to the vulnerable service.
- Monitor and audit usage of the LocalPythonExecutor component for suspicious activity or unexpected code execution.
- Consider disabling or sandboxing the LocalPythonExecutor component if feasible until a patch is released.
Stay informed about updates from the vendor or security community for any forthcoming patches or official mitigations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-4963 vulnerability allows remote code execution and full sandbox escape in the smolagents LocalPythonExecutor component, which can lead to unauthorized access, modification, or destruction of data.
Such a vulnerability can compromise the confidentiality, integrity, and availability of sensitive data, potentially violating compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and health information.
Because the exploit enables attackers to execute arbitrary code remotely, it increases the risk of data breaches and unauthorized data manipulation, which are critical compliance concerns.
No patched versions are currently available, and the exploit is publicly known and easy to trigger, further elevating the compliance risk for organizations using affected versions.