CVE-2026-46678: pydantic-ai: SSRF bypass exposes cloud IAM credentials

GHSA-cqp8-fcvh-x7r3 MEDIUM
Published May 21, 2026
CISO Take

CVE-2026-46678 is an incomplete-fix bypass in pydantic-ai's URL download functionality: attackers can encode cloud metadata IPs (e.g., AWS IMDSv1 at 169.254.169.254) in IPv6 transition forms—IPv4-mapped, 6to4, or NAT64—to circumvent the blocklist that was supposed to block metadata endpoint access even when force_download='allow-local' is explicitly set. With 416 downstream dependents and a scope-changed CVSS (S:C, C:H), successful exploitation yields short-term cloud IAM credentials enabling lateral movement across the entire cloud account. Exploitation requires the application to have opted into force_download='allow-local' on a user-influenced URL, meaningfully narrowing the attack surface compared to parent CVE-2026-25580—but this is a bypass of an already-patched vulnerability, signaling that the SSRF controls in pydantic-ai are under active scrutiny. Upgrade to pydantic-ai 1.99.0 immediately; if patching is blocked, audit all FileUrl/ImageUrl/AudioUrl/VideoUrl/DocumentUrl usage and remove force_download='allow-local' from any code path accepting untrusted input, and enforce IMDSv2 on all cloud instances running AI workloads as a defense-in-depth layer.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium overall risk with a high-severity ceiling. The CVSS 6.8 with AC:H accurately reflects the narrow precondition—force_download='allow-local' on untrusted URLs—but the scope:changed modifier and C:H mean that when conditions are met, the blast radius extends well beyond the AI application to the cloud control plane. This is a bypass of CVE-2026-25580, indicating active probing of pydantic-ai's SSRF mitigations; the IPv6 encoding technique (::ffff:a9fe:a9fe, 2002:a9fe:a9fe::) is well-documented and trivial to construct once the precondition is identified. No public exploits or active exploitation are confirmed, but the combination of a known incomplete fix, a popular AI agent framework, and high-value cloud credential access makes this a credible near-term exploitation target.

How does the attack unfold?

Target Identification
Attacker identifies a pydantic-ai application that accepts user-controlled URLs with force_download='allow-local' enabled on FileUrl, ImageUrl, or DocumentUrl types, typically through API documentation, error messages, or code repository enumeration.
AML.T0006
IPv6 Encoding Bypass
Attacker crafts a URL encoding the cloud metadata IP (169.254.169.254) as an IPv6 transition address—::ffff:a9fe:a9fe for IPv4-mapped IPv6 or 2002:a9fe:a9fe:: for 6to4—to bypass the pydantic-ai blocklist which only checks IPv4 forms.
AML.T0049
SSRF Execution
The unpatched pydantic-ai blocklist approves the IPv6-encoded URL; the dual-stack host routes it to the actual metadata endpoint at 169.254.169.254, which returns cloud IAM credentials in the HTTP response body.
AML.T0053
IAM Credential Harvesting
Attacker obtains short-term cloud IAM access key, secret key, and session token from the metadata response, enabling authenticated access to cloud APIs for lateral movement, data exfiltration, or privilege escalation.
AML.T0106

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Pydantic AI pip >= 1.56.0, < 1.99.0 1.99.0
18.2K 393 dependents Pushed 4d ago 90% patched ~206d to patch Full package profile →
Pydantic AI pip >= 1.56.0, < 1.99.0 1.99.0
18.2K 393 dependents Pushed 4d ago 90% patched ~206d to patch Full package profile →

How severe is it?

CVSS 3.1
6.8 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 12% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR None
UI None
S Changed
C High
I None
A None

What should I do?

5 steps
  1. Upgrade pydantic-ai and pydantic-ai-slim to version 1.99.0 or later—this release extends blocklist coverage to IPv4-mapped IPv6, 6to4, NAT64 well-known prefix, and additional IANA-reserved ranges.

  2. Audit all usage of FileUrl, ImageUrl, AudioUrl, VideoUrl, and DocumentUrl; remove force_download='allow-local' from any code path that processes untrusted URLs.

  3. Apply network-level SSRF controls: block outbound access to 169.254.169.254 (IMDSv1), 169.254.170.2 (ECS metadata), and fd00:ec2::254 (IMDSv2 IPv6) at the host and container firewall layer.

  4. Enforce IMDSv2 (session-oriented, PUT-based) on all AWS instances running AI workloads—this requires an attacker to make a two-step request, breaking simple SSRF chains.

  5. Monitor cloud provider logs for metadata service calls originating from application processes and flag any IAM credential use outside expected source IPs or regions.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - Information security in AI system development
NIST AI RMF
MEASURE 2.5 - AI system security testing and evaluation
OWASP LLM Top 10
LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-46678?

CVE-2026-46678 is an incomplete-fix bypass in pydantic-ai's URL download functionality: attackers can encode cloud metadata IPs (e.g., AWS IMDSv1 at 169.254.169.254) in IPv6 transition forms—IPv4-mapped, 6to4, or NAT64—to circumvent the blocklist that was supposed to block metadata endpoint access even when force_download='allow-local' is explicitly set. With 416 downstream dependents and a scope-changed CVSS (S:C, C:H), successful exploitation yields short-term cloud IAM credentials enabling lateral movement across the entire cloud account. Exploitation requires the application to have opted into force_download='allow-local' on a user-influenced URL, meaningfully narrowing the attack surface compared to parent CVE-2026-25580—but this is a bypass of an already-patched vulnerability, signaling that the SSRF controls in pydantic-ai are under active scrutiny. Upgrade to pydantic-ai 1.99.0 immediately; if patching is blocked, audit all FileUrl/ImageUrl/AudioUrl/VideoUrl/DocumentUrl usage and remove force_download='allow-local' from any code path accepting untrusted input, and enforce IMDSv2 on all cloud instances running AI workloads as a defense-in-depth layer.

Is CVE-2026-46678 actively exploited?

No confirmed active exploitation of CVE-2026-46678 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46678?

1. Upgrade pydantic-ai and pydantic-ai-slim to version 1.99.0 or later—this release extends blocklist coverage to IPv4-mapped IPv6, 6to4, NAT64 well-known prefix, and additional IANA-reserved ranges. 2. Audit all usage of FileUrl, ImageUrl, AudioUrl, VideoUrl, and DocumentUrl; remove force_download='allow-local' from any code path that processes untrusted URLs. 3. Apply network-level SSRF controls: block outbound access to 169.254.169.254 (IMDSv1), 169.254.170.2 (ECS metadata), and fd00:ec2::254 (IMDSv2 IPv6) at the host and container firewall layer. 4. Enforce IMDSv2 (session-oriented, PUT-based) on all AWS instances running AI workloads—this requires an attacker to make a two-step request, breaking simple SSRF chains. 5. Monitor cloud provider logs for metadata service calls originating from application processes and flag any IAM credential use outside expected source IPs or regions.

What systems are affected by CVE-2026-46678?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, Cloud-hosted AI applications, Multimodal AI pipelines, AI document processing pipelines.

What is the CVSS score for CVE-2026-46678?

CVE-2026-46678 has a CVSS v3.1 base score of 6.8 (MEDIUM). The EPSS exploitation probability is 0.04%.

What is the AI security impact?

Affected AI Architectures

Agent frameworksCloud-hosted AI applicationsMultimodal AI pipelinesAI document processing pipelines

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.3
NIST AI RMF: MEASURE 2.5
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

## Summary When an application using Pydantic AI opts a URL into `force_download='allow-local'` (which disables the default block on private/internal IPs), the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form (IPv4-mapped IPv6, 6to4, or NAT64). Dual-stack and translated networks route the IPv6 wrapper to the underlying IPv4 endpoint, exposing cloud IAM short-term credentials. This is an incomplete fix of [GHSA-2jrp-274c-jhv3](https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3) / [CVE-2026-25580](https://nvd.nist.gov/vuln/detail/CVE-2026-25580). The parent advisory's remediation guaranteed that "cloud metadata endpoints are always blocked, even with `allow-local`." That guarantee did not hold for IPv6-encoded forms of the metadata IPs. ## Severity Same impact metrics as the parent CVE, but materially narrower attack surface (AC:H instead of AC:L), because exploitation requires the application to have opted into `allow-local` on a URL influenced by untrusted input. ## Who Is Affected Applications are affected **only if** they explicitly opt for `FileUrl` (`ImageUrl`, `AudioUrl`, `VideoUrl`, `DocumentUrl`) into `force_download='allow-local'` on a URL that is, or could be, influenced by untrusted input. Applications are **not** affected if they use any of the bundled integrations to ingest user input, because they do not propagate `force_download` from external data: - `Agent.to_web` / `clai web` - `VercelAIAdapter` - `AGUIAdapter` / `Agent.to_ag_ui` Applications that only download from developer-controlled URLs are not affected. ## Remediation Upgrade to `1.99.0` or later. The cloud-metadata and private-IP blocklists now apply to IPv6 transition forms that route to a blocked IPv4 endpoint (IPv4-mapped IPv6, 6to4, and NAT64 well-known prefix). The blocklists have also been extended to cover additional IANA-reserved IPv4 and IPv6 special-purpose ranges. ## Workaround for Unpatched Versions Avoid passing `force_download='allow-local'` on any URL that could be influenced by untrusted input. If developers must, resolve the hostname themselves and validate the result against their own metadata blocklist — including IPv6-encoded forms — before constructing the `FileUrl`. ## Credits Reported by [j0hndo](mailto:dohyun4466@gmail.com).

Exploitation Scenario

An attacker targets a cloud-hosted pydantic-ai document processing agent that accepts user-provided document URLs with force_download='allow-local' enabled (e.g., to support enterprise intranet documents). The attacker submits a DocumentUrl pointing to http://[::ffff:a9fe:a9fe]/ (IPv4-mapped IPv6 encoding of 169.254.169.254). The unpatched pydantic-ai blocklist only checks for IPv4 address patterns, passes the IPv6-encoded address, and the underlying HTTP client resolves it to the actual AWS metadata endpoint on the dual-stack cloud host. The response contains temporary AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN values that the attacker extracts from the server response, then uses to authenticate against AWS APIs—accessing S3 training data buckets, reading Secrets Manager entries, or escalating IAM privileges within the cloud account.

Weaknesses (CWE)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Timeline

Published
May 21, 2026
Last Modified
May 21, 2026
First Seen
May 22, 2026

Related Vulnerabilities