Skip to main content

Agentscope CVE-2026-6604

| EUVD-2026-23773 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-20 VulDB
SSRF Agentscope
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
CVSS changed
Apr 29, 2026 - 01:12 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Analysis Generated
Apr 20, 2026 - 05:25 vuln.today
Severity Changed
Apr 20, 2026 - 05:22 NVD
HIGH MEDIUM
CVSS changed
Apr 20, 2026 - 05:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
EUVD ID Assigned
Apr 20, 2026 - 05:15 euvd
EUVD-2026-23773
Analysis Generated
Apr 20, 2026 - 05:15 vuln.today
CVE Published
Apr 20, 2026 - 04:15 nvd
MEDIUM 5.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 7 pypi packages depend on agentscope (6 direct, 1 indirect)

Ecosystem-wide dependent count for version 1.0.18.

DescriptionCVE.org

A vulnerability was identified in modelscope agentscope up to 1.0.18. Affected by this issue is the function _parse_url/prepare_image/openai_audio_to_text of the file src/agentscope/tool/_multi_modality/_openai_tools.py of the component Cloud Metadata Endpoint. Such manipulation of the argument image_url/audio_file_url leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Server-side request forgery (SSRF) in ModelScope AgentScope up to version 1.0.18 allows remote unauthenticated attackers to manipulate image_url and audio_file_url parameters in the _parse_url, prepare_image, and openai_audio_to_text functions, enabling arbitrary HTTP requests from the affected server. The vulnerability has publicly available exploit code and affects the Cloud Metadata Endpoint component. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Network reconnaissance identifies AgentScope endpoint
Delivery
Craft HTTP request with malicious image_url parameter
Exploit
Send request to vulnerable function
Install
Server processes URL without validation
C2
Server makes request to attacker-controlled or internal destination
Execute
Attacker receives response or achieves SSRF impact
Impact
Information disclosure or lateral movement to internal services
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerability requires that the AgentScope multi-modality OpenAI tools component is deployed and accessible to the attacker (network-reachable endpoint). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.9 with AV:N/AC:L/PR:N/UI:N indicates network-accessible exploitation with no authentication or user interaction required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a POST request to an AgentScope instance with a malicious image_url parameter pointing to an internal service, such as http://169.254.169.254/latest/meta-data (AWS metadata endpoint) or http://localhost:8080/admin/config. The vulnerable _parse_url or prepare_image function processes this URL without validation and makes a server-side HTTP request to fetch the resource. …
Remediation Upgrade AgentScope to a version newer than 1.0.18 if a patched release becomes available from the ModelScope project. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6604 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy