Pydantic Ai
Monthly
Server-Side Request Forgery in Pydantic AI (versions 1.56.0-1.101.0, 2.0.0b1, 2.0.0b2) allows unauthenticated network attackers to bypass the cloud-metadata IP blocklist by encoding metadata service addresses (e.g., 169.254.169.254) in IPv6 transition forms - specifically IPv4-compatible IPv6, NAT64 RFC 8215 local-use prefixes, operator-chosen NAT64 prefixes, and ISATAP - that the prior remediation (CVE-2026-46678) failed to decode, enabling retrieval of cloud IAM short-term credentials. Exploitation is constrained by two simultaneous prerequisites: the application must use the non-default `force_download='allow-local'` mode and must operate on a network that routes the affected IPv6 transition forms (e.g., IPv6-only or dual-stack-with-NAT64 Kubernetes clusters). This is the third iteration in an escalating bypass chain (CVE-2026-25580 → CVE-2026-46678 → CVE-2026-48782), and no public exploit has been identified at time of analysis.
Pydantic AI versions 0.0.26 through 1.55.x contain a server-side request forgery vulnerability in URL download functionality that allows remote attackers to make arbitrary HTTP requests to internal network resources when applications process untrusted message history. Public exploit code exists for this vulnerability, which could enable attackers to access internal services or cloud credentials. Applications must upgrade to version 1.56.0 or later to remediate the issue.
Pydantic AI versions 1.34.0 through 1.50.x contain a path traversal vulnerability in the web UI that allows unauthenticated attackers to inject arbitrary JavaScript by manipulating the CDN version parameter in a malicious URL. When a victim visits the crafted link, attacker-controlled code executes in their browser, enabling theft of chat history and other sensitive client-side data. No patch is currently available.
Server-Side Request Forgery in Pydantic AI (versions 1.56.0-1.101.0, 2.0.0b1, 2.0.0b2) allows unauthenticated network attackers to bypass the cloud-metadata IP blocklist by encoding metadata service addresses (e.g., 169.254.169.254) in IPv6 transition forms - specifically IPv4-compatible IPv6, NAT64 RFC 8215 local-use prefixes, operator-chosen NAT64 prefixes, and ISATAP - that the prior remediation (CVE-2026-46678) failed to decode, enabling retrieval of cloud IAM short-term credentials. Exploitation is constrained by two simultaneous prerequisites: the application must use the non-default `force_download='allow-local'` mode and must operate on a network that routes the affected IPv6 transition forms (e.g., IPv6-only or dual-stack-with-NAT64 Kubernetes clusters). This is the third iteration in an escalating bypass chain (CVE-2026-25580 → CVE-2026-46678 → CVE-2026-48782), and no public exploit has been identified at time of analysis.
Pydantic AI versions 0.0.26 through 1.55.x contain a server-side request forgery vulnerability in URL download functionality that allows remote attackers to make arbitrary HTTP requests to internal network resources when applications process untrusted message history. Public exploit code exists for this vulnerability, which could enable attackers to access internal services or cloud credentials. Applications must upgrade to version 1.56.0 or later to remediate the issue.
Pydantic AI versions 1.34.0 through 1.50.x contain a path traversal vulnerability in the web UI that allows unauthenticated attackers to inject arbitrary JavaScript by manipulating the CDN version parameter in a malicious URL. When a victim visits the crafted link, attacker-controlled code executes in their browser, enabling theft of chat history and other sensitive client-side data. No patch is currently available.