Skip to main content

Pydantic AI CVE-2026-46678

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-21 https://github.com/pydantic/pydantic-ai GHSA-cqp8-fcvh-x7r3
6.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 21, 2026 - 22:43 vuln.today
Analysis Generated
May 21, 2026 - 22:43 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 pypi packages depend on pydantic-ai (3 direct, 0 indirect)
  • 14 pypi packages depend on pydantic-ai-slim (10 direct, 4 indirect)

Ecosystem-wide dependent count for version 1.56.0 and other introduced versions.

DescriptionGitHub Advisory

Summary

When an application using Pydantic AI opts a URL into force_download='allow-local' (which disables the default block on private/internal IPs), the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form (IPv4-mapped IPv6, 6to4, or NAT64). Dual-stack and translated networks route the IPv6 wrapper to the underlying IPv4 endpoint, exposing cloud IAM short-term credentials.

This is an incomplete fix of GHSA-2jrp-274c-jhv3 / CVE-2026-25580. The parent advisory's remediation guaranteed that "cloud metadata endpoints are always blocked, even with allow-local." That guarantee did not hold for IPv6-encoded forms of the metadata IPs.

Severity

Same impact metrics as the parent CVE, but materially narrower attack surface (AC:H instead of AC:L), because exploitation requires the application to have opted into allow-local on a URL influenced by untrusted input.

Who Is Affected

Applications are affected only if they explicitly opt for FileUrl (ImageUrl, AudioUrl, VideoUrl, DocumentUrl) into force_download='allow-local' on a URL that is, or could be, influenced by untrusted input.

Applications are not affected if they use any of the bundled integrations to ingest user input, because they do not propagate force_download from external data:

  • Agent.to_web / clai web
  • VercelAIAdapter
  • AGUIAdapter / Agent.to_ag_ui

Applications that only download from developer-controlled URLs are not affected.

Remediation

Upgrade to 1.99.0 or later. The cloud-metadata and private-IP blocklists now apply to IPv6 transition forms that route to a blocked IPv4 endpoint (IPv4-mapped IPv6, 6to4, and NAT64 well-known prefix). The blocklists have also been extended to cover additional IANA-reserved IPv4 and IPv6 special-purpose ranges.

Workaround for Unpatched Versions

Avoid passing force_download='allow-local' on any URL that could be influenced by untrusted input. If developers must, resolve the hostname themselves and validate the result against their own metadata blocklist - including IPv6-encoded forms - before constructing the FileUrl.

Credits

Reported by [j0hndo](mailto:dohyun4466@gmail.com).

AnalysisAI

IPv6 transition-form SSRF in Pydantic AI bypasses the cloud-metadata blocklist introduced as a fix for CVE-2026-25580, exposing cloud IAM short-term credentials on dual-stack and translated networks. The bypass affects pydantic-ai and pydantic-ai-slim deployments that explicitly opt FileUrl-family types into force_download='allow-local' on URLs reachable by untrusted input - a materially narrower attack surface than its parent CVE, reflected in the AC:H rating versus the parent's AC:L. CVSS 6.8 (High) with Changed scope captures that a successful attack escapes the application boundary to reach cloud metadata services; no public exploit code and no CISA KEV listing have been identified at time of analysis.

Technical ContextAI

The vulnerability (CWE-918, Server-Side Request Forgery) resides in the URL download handling logic of the pydantic-ai and pydantic-ai-slim Python packages (PyPI identifiers pkg:pip/pydantic-ai and pkg:pip/pydantic-ai-slim). The parent fix for CVE-2026-25580 blocked private and cloud-metadata IPv4 addresses but did not normalize IPv6 transition representations before blocklist evaluation: IPv4-mapped IPv6 (e.g., ::ffff:169.254.169.254), 6to4 addresses (e.g., 2002:a9fe:a9fe::/48 range), and NAT64 well-known prefix forms all route to the same underlying IPv4 endpoint on dual-stack and translated network stacks, circumventing a purely IPv4-aware blocklist. The force_download='allow-local' mode is an explicit developer opt-in permitting downloads from private IP space; the bug is that the cloud-metadata bypass protection within this mode was not extended to IPv6-encoded equivalents of blocked IPv4 addresses. The 1.99.0 fix normalizes all IPv6 transition forms before blocklist evaluation and extends coverage to additional IANA special-purpose ranges.

RemediationAI

Upgrade pydantic-ai or pydantic-ai-slim to version 1.99.0 or later, as confirmed by vendor advisory GHSA-cqp8-fcvh-x7r3 (https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-cqp8-fcvh-x7r3); this release extends the blocklist to IPv6 transition forms and additional IANA special-purpose ranges. If immediate upgrade is not feasible, the vendor-documented workaround is to avoid passing force_download='allow-local' on any URL that could be influenced by untrusted input - this eliminates the attack surface entirely at the cost of losing local-download functionality for those URL types. If allow-local is operationally required and patching is delayed, developers must resolve hostnames independently, validate the resolved address against a metadata blocklist that explicitly covers IPv6 transition encodings (IPv4-mapped, 6to4, NAT64 well-known prefix), and only then construct the FileUrl object; this approach is operationally complex and error-prone and should be treated as a temporary bridge only. The bundled integrations (Agent.to_web, VercelAIAdapter, AGUIAdapter) require no remediation action as they do not propagate force_download from external data.

Share

CVE-2026-46678 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy