AI Threat Alert

CVE-2026-25580: pydantic-ai: SSRF allows internal network access

GHSA-2jrp-274c-jhv3 HIGH PoC AVAILABLE
Published February 6, 2026
CISO Take

Any Pydantic AI application accepting message history from external users is exposed to SSRF attacks that can pivot to cloud metadata services and steal IAM credentials. Patch to pydantic-ai >= 1.56.0 immediately and treat this as critical in cloud environments where IMDS is accessible. Until patched, disable or sanitize external message history inputs — cloud credential theft via SSRF is a lateral movement multiplier with consequences far beyond the AI layer.

What is the risk?

High risk in cloud-deployed AI agent applications. CVSS 8.6 with network-accessible, zero-authentication, low-complexity exploitation creates significant exposure. The Scope:Changed metric signals cross-boundary impact — SSRF reaches beyond the application to internal infrastructure and cloud metadata endpoints (AWS IMDS, GCP metadata, Azure IMDS). EPSS of 0.00017 indicates low current exploitation activity, but the attack requires no specialized AI knowledge, lowering the practical barrier significantly for any organization running Pydantic AI agents exposed to external users. Cloud-hosted deployments should treat this as critical regardless of CVSS.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Pydantic AI pip >= 0.0.26, < 1.56.0 1.56.0
17.9K 393 dependents Pushed 3d ago 78% patched ~188d to patch Full package profile →
Pydantic AI pip >= 0.0.26, < 1.56.0 1.56.0
17.9K 393 dependents Pushed 3d ago 78% patched ~188d to patch Full package profile →
pydantic_ai No patch

How severe is it?

CVSS 3.1
8.6 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 38% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I None
A None

What should I do?

5 steps

  1. PATCH

    Upgrade pydantic-ai or pydantic-ai-slim to >= 1.56.0 immediately — this is the only permanent fix.

  2. WORKAROUND

    If patching is not immediately possible, block or sanitize all message history inputs from untrusted sources — do not pass external conversation history directly to Pydantic AI.

  3. NETWORK CONTROLS

    Enforce egress filtering on AI agent deployments; explicitly block 169.254.169.254 (cloud IMDS) and RFC1918 addresses from application server outbound traffic.

  4. DETECTION

    Monitor outbound HTTP requests from AI agent services for connections to private IP ranges, loopback, or cloud metadata endpoints — any hit from the application tier is a strong indicator of exploitation.

  5. AUDIT

    Scan codebase for all call sites where message_history or equivalent parameters accept user-controlled data and feed into Pydantic AI.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework Agent API AML.T0010.001 AML.T0049 AML.T0051.001 AML.T0053 AML.T0080.001 AML.T0083

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2 - AI-Related Roles and Responsibilities — Supply Chain A.6.2.6 - Security in AI System Development A.9.4 - AI System Technical Security Controls
NIST AI RMF
GOVERN 1.7 - Processes and procedures are in place for decommissioning and phase out of AI systems MANAGE 2.2 - Mechanisms are in place to maintain the AI system MEASURE 2.6 - Evaluation of AI Risk
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-25580?

Any Pydantic AI application accepting message history from external users is exposed to SSRF attacks that can pivot to cloud metadata services and steal IAM credentials. Patch to pydantic-ai >= 1.56.0 immediately and treat this as critical in cloud environments where IMDS is accessible. Until patched, disable or sanitize external message history inputs — cloud credential theft via SSRF is a lateral movement multiplier with consequences far beyond the AI layer.

Is CVE-2026-25580 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-25580, increasing the risk of exploitation.

How to fix CVE-2026-25580?

1. PATCH: Upgrade pydantic-ai or pydantic-ai-slim to >= 1.56.0 immediately — this is the only permanent fix. 2. WORKAROUND: If patching is not immediately possible, block or sanitize all message history inputs from untrusted sources — do not pass external conversation history directly to Pydantic AI. 3. NETWORK CONTROLS: Enforce egress filtering on AI agent deployments; explicitly block 169.254.169.254 (cloud IMDS) and RFC1918 addresses from application server outbound traffic. 4. DETECTION: Monitor outbound HTTP requests from AI agent services for connections to private IP ranges, loopback, or cloud metadata endpoints — any hit from the application tier is a strong indicator of exploitation. 5. AUDIT: Scan codebase for all call sites where message_history or equivalent parameters accept user-controlled data and feed into Pydantic AI.

What systems are affected by CVE-2026-25580?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM-powered applications with external user input, cloud-deployed AI services, multi-agent systems, RAG pipelines accepting conversation history.

What is the CVSS score for CVE-2026-25580?

CVE-2026-25580 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 0.49%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM-powered applications with external user inputcloud-deployed AI servicesmulti-agent systemsRAG pipelines accepting conversation history

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0049 Exploit Public-Facing Application
AML.T0051.001 Indirect
AML.T0053 AI Agent Tool Invocation
AML.T0080.001 Thread
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 15, Article 15
ISO 42001: A.6.2, A.6.2.6, A.9.4
NIST AI RMF: GOVERN 1.7, MANAGE 2.2, MEASURE 2.6
OWASP LLM Top 10: LLM06, LLM07, LLM08

What are the technical details?

Original Advisory

Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0.

Exploitation Scenario

An attacker submits a crafted conversation message to a public-facing AI assistant built on Pydantic AI (e.g., a customer support chatbot or developer tool exposed via API). The attacker's message history payload contains a URL pointing to http://169.254.169.254/latest/meta-data/iam/security-credentials/ targeting the AWS IMDS. The Pydantic AI URL download handler fetches this URL server-side, the response containing live IAM role credentials (AccessKeyId, SecretAccessKey, SessionToken) flows back through the agent, and the attacker harvests them. With active AWS credentials, the attacker escalates to full cloud environment access — S3 buckets, RDS instances, other services — entirely from a message history injection. No authentication, no AI expertise, and no user interaction required.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References

Timeline

Published
February 6, 2026
Last Modified
February 20, 2026
First Seen
February 6, 2026

Related Vulnerabilities

MEDIUM CVE-2026-46678 6.8

pydantic-ai: SSRF bypass exposes cloud IAM credentials

Same package: pydantic-ai
MEDIUM CVE-2026-25640 5.4

pydantic-ai: Path Traversal enables file access

Same package: pydantic-ai
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
Back to Threat Feed