CVE-2026-46678 — MEDIUM (CVSS 6.8)

Q: Is CVE-2026-46678 actively exploited?

No confirmed active exploitation of CVE-2026-46678 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-46678?

1. Upgrade pydantic-ai and pydantic-ai-slim to version 1.99.0 or later—this release extends blocklist coverage to IPv4-mapped IPv6, 6to4, NAT64 well-known prefix, and additional IANA-reserved ranges. 2. Audit all usage of FileUrl, ImageUrl, AudioUrl, VideoUrl, and DocumentUrl; remove force_download='allow-local' from any code path that processes untrusted URLs. 3. Apply network-level SSRF controls: block outbound access to 169.254.169.254 (IMDSv1), 169.254.170.2 (ECS metadata), and fd00:ec2::254 (IMDSv2 IPv6) at the host and container firewall layer. 4. Enforce IMDSv2 (session-oriented, PUT-based) on all AWS instances running AI workloads—this requires an attacker to make a two-step request, breaking simple SSRF chains. 5. Monitor cloud provider logs for metadata service calls originating from application processes and flag any IAM credential use outside expected source IPs or regions.

Q: What systems are affected by CVE-2026-46678?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, Cloud-hosted AI applications, Multimodal AI pipelines, AI document processing pipelines.

Q: What is the CVSS score for CVE-2026-46678?

CVE-2026-46678 has a CVSS v3.1 base score of 6.8 (MEDIUM).

CISO Take

CVE-2026-46678 is an incomplete-fix bypass in pydantic-ai's URL download functionality: attackers can encode cloud metadata IPs (e.g., AWS IMDSv1 at 169.254.169.254) in IPv6 transition forms—IPv4-mapped, 6to4, or NAT64—to circumvent the blocklist that was supposed to block metadata endpoint access even when force_download='allow-local' is explicitly set. With 416 downstream dependents and a scope-changed CVSS (S:C, C:H), successful exploitation yields short-term cloud IAM credentials enabling lateral movement across the entire cloud account. Exploitation requires the application to have opted into force_download='allow-local' on a user-influenced URL, meaningfully narrowing the attack surface compared to parent CVE-2026-25580—but this is a bypass of an already-patched vulnerability, signaling that the SSRF controls in pydantic-ai are under active scrutiny. Upgrade to pydantic-ai 1.99.0 immediately; if patching is blocked, audit all FileUrl/ImageUrl/AudioUrl/VideoUrl/DocumentUrl usage and remove force_download='allow-local' from any code path accepting untrusted input, and enforce IMDSv2 on all cloud instances running AI workloads as a defense-in-depth layer.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium overall risk with a high-severity ceiling. The CVSS 6.8 with AC:H accurately reflects the narrow precondition—force_download='allow-local' on untrusted URLs—but the scope:changed modifier and C:H mean that when conditions are met, the blast radius extends well beyond the AI application to the cloud control plane. This is a bypass of CVE-2026-25580, indicating active probing of pydantic-ai's SSRF mitigations; the IPv6 encoding technique (::ffff:a9fe:a9fe, 2002:a9fe:a9fe::) is well-documented and trivial to construct once the precondition is identified. No public exploits or active exploitation are confirmed, but the combination of a known incomplete fix, a popular AI agent framework, and high-value cloud credential access makes this a credible near-term exploitation target.

Attack Kill Chain

Target Identification

Attacker identifies a pydantic-ai application that accepts user-controlled URLs with force_download='allow-local' enabled on FileUrl, ImageUrl, or DocumentUrl types, typically through API documentation, error messages, or code repository enumeration.

AML.T0006

IPv6 Encoding Bypass

Attacker crafts a URL encoding the cloud metadata IP (169.254.169.254) as an IPv6 transition address—::ffff:a9fe:a9fe for IPv4-mapped IPv6 or 2002:a9fe:a9fe:: for 6to4—to bypass the pydantic-ai blocklist which only checks IPv4 forms.

AML.T0049

SSRF Execution

The unpatched pydantic-ai blocklist approves the IPv6-encoded URL; the dual-stack host routes it to the actual metadata endpoint at 169.254.169.254, which returns cloud IAM credentials in the HTTP response body.

AML.T0053

IAM Credential Harvesting

Attacker obtains short-term cloud IAM access key, secret key, and session token from the metadata response, enabling authenticated access to cloud APIs for lateral movement, data exfiltration, or privilege escalation.

AML.T0106

Target Identification

Attacker identifies a pydantic-ai application that accepts user-controlled URLs with force_download='allow-local' enabled on FileUrl, ImageUrl, or DocumentUrl types, typically through API documentation, error messages, or code repository enumeration.

AML.T0006

IPv6 Encoding Bypass

Attacker crafts a URL encoding the cloud metadata IP (169.254.169.254) as an IPv6 transition address—::ffff:a9fe:a9fe for IPv4-mapped IPv6 or 2002:a9fe:a9fe:: for 6to4—to bypass the pydantic-ai blocklist which only checks IPv4 forms.

AML.T0049

SSRF Execution

The unpatched pydantic-ai blocklist approves the IPv6-encoded URL; the dual-stack host routes it to the actual metadata endpoint at 169.254.169.254, which returns cloud IAM credentials in the HTTP response body.

AML.T0053

IAM Credential Harvesting

Attacker obtains short-term cloud IAM access key, secret key, and session token from the metadata response, enabling authenticated access to cloud APIs for lateral movement, data exfiltration, or privilege escalation.

AML.T0106

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
pydantic-ai	pip	>= 1.56.0, < 1.99.0	`1.99.0`
17.1K 416 dependents Pushed 6d ago 100% patched ~9d to patch Full package profile →
pydantic-ai-slim	pip	>= 1.56.0, < 1.99.0	`1.99.0`
17.1K 416 dependents Pushed 6d ago 100% patched ~9d to patch Full package profile →

Severity & Risk

CVSS 3.1

6.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC High

PR None

UI None

S Changed

C High

I None

A None

What should I do?

5 steps

Upgrade pydantic-ai and pydantic-ai-slim to version 1.99.0 or later—this release extends blocklist coverage to IPv4-mapped IPv6, 6to4, NAT64 well-known prefix, and additional IANA-reserved ranges.
Audit all usage of FileUrl, ImageUrl, AudioUrl, VideoUrl, and DocumentUrl; remove force_download='allow-local' from any code path that processes untrusted URLs.
Apply network-level SSRF controls: block outbound access to 169.254.169.254 (IMDSv1), 169.254.170.2 (ECS metadata), and fd00:ec2::254 (IMDSv2 IPv6) at the host and container firewall layer.
Enforce IMDSv2 (session-oriented, PUT-based) on all AWS instances running AI workloads—this requires an attacker to make a two-step request, breaking simple SSRF chains.
Monitor cloud provider logs for metadata service calls originating from application processes and flag any IAM credential use outside expected source IPs or regions.

Classification

Data Extraction Auth Bypass Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - Information security in AI system development

NIST AI RMF

MEASURE 2.5 - AI system security testing and evaluation

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-46678?

CVE-2026-46678 is an incomplete-fix bypass in pydantic-ai's URL download functionality: attackers can encode cloud metadata IPs (e.g., AWS IMDSv1 at 169.254.169.254) in IPv6 transition forms—IPv4-mapped, 6to4, or NAT64—to circumvent the blocklist that was supposed to block metadata endpoint access even when force_download='allow-local' is explicitly set. With 416 downstream dependents and a scope-changed CVSS (S:C, C:H), successful exploitation yields short-term cloud IAM credentials enabling lateral movement across the entire cloud account. Exploitation requires the application to have opted into force_download='allow-local' on a user-influenced URL, meaningfully narrowing the attack surface compared to parent CVE-2026-25580—but this is a bypass of an already-patched vulnerability, signaling that the SSRF controls in pydantic-ai are under active scrutiny. Upgrade to pydantic-ai 1.99.0 immediately; if patching is blocked, audit all FileUrl/ImageUrl/AudioUrl/VideoUrl/DocumentUrl usage and remove force_download='allow-local' from any code path accepting untrusted input, and enforce IMDSv2 on all cloud instances running AI workloads as a defense-in-depth layer.

Is CVE-2026-46678 actively exploited?

No confirmed active exploitation of CVE-2026-46678 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46678?

1. Upgrade pydantic-ai and pydantic-ai-slim to version 1.99.0 or later—this release extends blocklist coverage to IPv4-mapped IPv6, 6to4, NAT64 well-known prefix, and additional IANA-reserved ranges. 2. Audit all usage of FileUrl, ImageUrl, AudioUrl, VideoUrl, and DocumentUrl; remove force_download='allow-local' from any code path that processes untrusted URLs. 3. Apply network-level SSRF controls: block outbound access to 169.254.169.254 (IMDSv1), 169.254.170.2 (ECS metadata), and fd00:ec2::254 (IMDSv2 IPv6) at the host and container firewall layer. 4. Enforce IMDSv2 (session-oriented, PUT-based) on all AWS instances running AI workloads—this requires an attacker to make a two-step request, breaking simple SSRF chains. 5. Monitor cloud provider logs for metadata service calls originating from application processes and flag any IAM credential use outside expected source IPs or regions.

What systems are affected by CVE-2026-46678?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, Cloud-hosted AI applications, Multimodal AI pipelines, AI document processing pipelines.

What is the CVSS score for CVE-2026-46678?

CVE-2026-46678 has a CVSS v3.1 base score of 6.8 (MEDIUM).

Technical Details

NVD Description

## Summary When an application using Pydantic AI opts a URL into `force_download='allow-local'` (which disables the default block on private/internal IPs), the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form (IPv4-mapped IPv6, 6to4, or NAT64). Dual-stack and translated networks route the IPv6 wrapper to the underlying IPv4 endpoint, exposing cloud IAM short-term credentials. This is an incomplete fix of [GHSA-2jrp-274c-jhv3](https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3) / [CVE-2026-25580](https://nvd.nist.gov/vuln/detail/CVE-2026-25580). The parent advisory's remediation guaranteed that "cloud metadata endpoints are always blocked, even with `allow-local`." That guarantee did not hold for IPv6-encoded forms of the metadata IPs. ## Severity Same impact metrics as the parent CVE, but materially narrower attack surface (AC:H instead of AC:L), because exploitation requires the application to have opted into `allow-local` on a URL influenced by untrusted input. ## Who Is Affected Applications are affected **only if** they explicitly opt for `FileUrl` (`ImageUrl`, `AudioUrl`, `VideoUrl`, `DocumentUrl`) into `force_download='allow-local'` on a URL that is, or could be, influenced by untrusted input. Applications are **not** affected if they use any of the bundled integrations to ingest user input, because they do not propagate `force_download` from external data: - `Agent.to_web` / `clai web` - `VercelAIAdapter` - `AGUIAdapter` / `Agent.to_ag_ui` Applications that only download from developer-controlled URLs are not affected. ## Remediation Upgrade to `1.99.0` or later. The cloud-metadata and private-IP blocklists now apply to IPv6 transition forms that route to a blocked IPv4 endpoint (IPv4-mapped IPv6, 6to4, and NAT64 well-known prefix). The blocklists have also been extended to cover additional IANA-reserved IPv4 and IPv6 special-purpose ranges. ## Workaround for Unpatched Versions Avoid passing `force_download='allow-local'` on any URL that could be influenced by untrusted input. If developers must, resolve the hostname themselves and validate the result against their own metadata blocklist — including IPv6-encoded forms — before constructing the `FileUrl`. ## Credits Reported by [j0hndo](mailto:dohyun4466@gmail.com).

Exploitation Scenario

An attacker targets a cloud-hosted pydantic-ai document processing agent that accepts user-provided document URLs with force_download='allow-local' enabled (e.g., to support enterprise intranet documents). The attacker submits a DocumentUrl pointing to http://[::ffff:a9fe:a9fe]/ (IPv4-mapped IPv6 encoding of 169.254.169.254). The unpatched pydantic-ai blocklist only checks for IPv4 address patterns, passes the IPv6-encoded address, and the underlying HTTP client resolves it to the actual AWS metadata endpoint on the dual-stack cloud host. The response contains temporary AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN values that the attacker extracts from the server response, then uses to authenticate against AWS APIs—accessing S3 training data buckets, reading Secrets Manager entries, or escalating IAM privileges within the cloud account.