local-deep-research: SSRF via URL parser differential bypass — MEDIUM (CVE-2026-46526)

Q: Is CVE-2026-46526 actively exploited?

No confirmed active exploitation of CVE-2026-46526 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-46526?

1. Upgrade to local-deep-research v1.6.10 or later — PRs #3873, #3882, #3889, and #3932 are all merged and ship together in this release. 2. If immediate upgrade is blocked, reject any input URL containing backslash, ASCII control bytes, or whitespace at the application boundary (WAF rule or input sanitization layer). 3. Enable IMDSv2 (AWS) or equivalent metadata endpoint hardening to prevent credential leakage even if SSRF succeeds. 4. Audit network segmentation for all local-deep-research deployments — the agent should not have network-level access to internal-only APIs, databases, or cloud metadata addresses. 5. Review access and application logs for requests containing the literal string `\@` in URL parameters as an indicator of prior exploitation attempts.

Q: What systems are affected by CVE-2026-46526?

This vulnerability affects the following AI/ML architecture patterns: AI research agents, agent frameworks, cloud-deployed AI pipelines.

Q: What is the CVSS score for CVE-2026-46526?

CVE-2026-46526 has a CVSS v3.1 base score of 5.0 (MEDIUM).

CISO Take

local-deep-research v1.3.0–v1.6.9 contains an SSRF vulnerability where its URL validation logic is bypassed using a parser-differential trick: crafting URLs like `http://127.0.0.1:PORT\@public.ip` causes `urllib.parse.urlparse` to see a public IP (passing the security check) while `requests.get` silently connects to the internal address. The CVSS Scope Changed flag (S:C) signals that a low-privileged user can pivot the research agent beyond its process boundary to probe internal network services — cloud metadata endpoints (IMDS), adjacent containers, or internal APIs. No active exploitation or CISA KEV listing is recorded, and EPSS data is unavailable, but the PoC is a single crafted URL requiring no special tooling. Upgrade to v1.6.10 immediately; the fix aligns both parsers by switching host extraction to urllib3 (the same library requests uses internally) and rejects RFC 3986-forbidden characters such as backslash at the input layer.

Sources: NVD GitHub Advisory ATLAS OpenSSF

What is the risk?

Medium CVSS (5.0) with an elevated operational risk in cloud and containerized AI deployments. Low privilege required and no user interaction needed broadens the attacker pool to any authenticated API caller. The Scope Changed vector means a successful SSRF can breach the agent's network boundary to reach cloud IMDS, adjacent databases, or internal model-serving APIs — resources with no direct internet exposure. No active exploitation evidence reduces urgency, but the trivial PoC and wide deployment of research agents in cloud-native environments justify prompt patching. Versions prior to v1.3.0 lacked any SSRF validator and are fully exploitable without the parser-differential trick.

Attack Kill Chain

Craft Bypass URL

Attacker constructs a URL using the backslash-at parser-differential pattern targeting an internal endpoint (e.g., `http://169.254.169.254/iam/credentials\@1.1.1.1`) and submits it as a research source to the agent.

AML.T0049

Validation Bypass

The `validate_url` function extracts `1.1.1.1` via urlparse and passes the SSRF check; `requests.get` connects to `169.254.169.254` because urllib3 treats the backslash as a path character, resolving the URL differently.

AML.T0053

Internal Resource Access

The agent fetches the internal cloud metadata or service endpoint and surfaces the response — potentially exposing IAM credentials, internal API responses, or network topology — in its research output.

AML.T0037

Credential Abuse / Lateral Movement

Leaked cloud IAM credentials or discovered internal service endpoints enable the attacker to pivot laterally into adjacent infrastructure (object storage, model APIs, databases) beyond the research agent's intended scope.

AML.T0086

Craft Bypass URL

Attacker constructs a URL using the backslash-at parser-differential pattern targeting an internal endpoint (e.g., `http://169.254.169.254/iam/credentials\@1.1.1.1`) and submits it as a research source to the agent.

AML.T0049

Validation Bypass

The `validate_url` function extracts `1.1.1.1` via urlparse and passes the SSRF check; `requests.get` connects to `169.254.169.254` because urllib3 treats the backslash as a path character, resolving the URL differently.

AML.T0053

Internal Resource Access

The agent fetches the internal cloud metadata or service endpoint and surfaces the response — potentially exposing IAM credentials, internal API responses, or network topology — in its research output.

AML.T0037

Credential Abuse / Lateral Movement

Leaked cloud IAM credentials or discovered internal service endpoints enable the attacker to pivot laterally into adjacent infrastructure (object storage, model APIs, databases) beyond the research agent's intended scope.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
local-deep-research	pip	< 1.6.10	`1.6.10`
7.9K OpenSSF 8.3 Pushed 5d ago 100% patched ~0d to patch Full package profile →

Do you use local-deep-research? You're affected.

Severity & Risk

CVSS 3.1

5.0 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C Low

I None

A None

What should I do?

5 steps

Upgrade to local-deep-research v1.6.10 or later — PRs #3873, #3882, #3889, and #3932 are all merged and ship together in this release.
If immediate upgrade is blocked, reject any input URL containing backslash, ASCII control bytes, or whitespace at the application boundary (WAF rule or input sanitization layer).
Enable IMDSv2 (AWS) or equivalent metadata endpoint hardening to prevent credential leakage even if SSRF succeeds.
Audit network segmentation for all local-deep-research deployments — the agent should not have network-level access to internal-only APIs, databases, or cloud metadata addresses.
Review access and application logs for requests containing the literal string \@ in URL parameters as an indicator of prior exploitation attempts.

Classification

Auth Bypass Data Extraction Agent AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.9.2 - Information security controls for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to maintain AI system integrity

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-46526?

local-deep-research v1.3.0–v1.6.9 contains an SSRF vulnerability where its URL validation logic is bypassed using a parser-differential trick: crafting URLs like `http://127.0.0.1:PORT\@public.ip` causes `urllib.parse.urlparse` to see a public IP (passing the security check) while `requests.get` silently connects to the internal address. The CVSS Scope Changed flag (S:C) signals that a low-privileged user can pivot the research agent beyond its process boundary to probe internal network services — cloud metadata endpoints (IMDS), adjacent containers, or internal APIs. No active exploitation or CISA KEV listing is recorded, and EPSS data is unavailable, but the PoC is a single crafted URL requiring no special tooling. Upgrade to v1.6.10 immediately; the fix aligns both parsers by switching host extraction to urllib3 (the same library requests uses internally) and rejects RFC 3986-forbidden characters such as backslash at the input layer.

Is CVE-2026-46526 actively exploited?

No confirmed active exploitation of CVE-2026-46526 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46526?

1. Upgrade to local-deep-research v1.6.10 or later — PRs #3873, #3882, #3889, and #3932 are all merged and ship together in this release. 2. If immediate upgrade is blocked, reject any input URL containing backslash, ASCII control bytes, or whitespace at the application boundary (WAF rule or input sanitization layer). 3. Enable IMDSv2 (AWS) or equivalent metadata endpoint hardening to prevent credential leakage even if SSRF succeeds. 4. Audit network segmentation for all local-deep-research deployments — the agent should not have network-level access to internal-only APIs, databases, or cloud metadata addresses. 5. Review access and application logs for requests containing the literal string `\@` in URL parameters as an indicator of prior exploitation attempts.

What systems are affected by CVE-2026-46526?

This vulnerability affects the following AI/ML architecture patterns: AI research agents, agent frameworks, cloud-deployed AI pipelines.

What is the CVSS score for CVE-2026-46526?

CVE-2026-46526 has a CVSS v3.1 base score of 5.0 (MEDIUM).

AI Security Impact

Affected AI Architectures

AI research agentsagent frameworkscloud-deployed AI pipelines

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.9.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07

Technical Details

Original Advisory

Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.10, the URL checking logic in local-deep-research has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. The current project uses validate_url to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by urlparse to prevent SSRF attacks. However, there are indeed differences in parsing between urlparse and the library that actually sends the request. For example, in safe_get, validate_url is first used to perform an SSRF check, and then requests.get is used to send the actual request. This vulnerability is fixed in 1.6.10.

Exploitation Scenario

An attacker with low-privileged access to a cloud-hosted local-deep-research deployment submits `http://169.254.169.254/latest/meta-data/iam/security-credentials/\@1.1.1.1` as a research source URL. The `validate_url` function calls `urlparse` which extracts `1.1.1.1` as the hostname and classifies it as a public address — validation passes. The `requests.get` call then connects to `169.254.169.254` (AWS IMDS) because urllib3 treats the backslash as a path character. The agent fetches and surfaces the IAM security credentials in its research output, which the attacker reads directly. Using the leaked credentials, the attacker pivots laterally to S3 buckets, model storage, or other AWS resources attached to the agent's instance role.