CVE-2026-48782: Pydantic AI SSRF IPv6 bypass

CISO Take

CVE-2026-48782 is a Server-Side Request Forgery (SSRF) in Pydantic AI's cloud-metadata blocklist where five IPv6 transition forms — including NAT64 and ISATAP addresses — bypass the IP-blocking logic introduced in CVE-2026-46678, allowing a crafted URL to reach the cloud instance metadata endpoint (169.254.169.254) and return short-term IAM credentials. This is the third bypass of the same control class (CVE-2026-25580 → CVE-2026-46678 → CVE-2026-48782), signaling a structural gap in how the framework decodes IP representations before blocking rather than an isolated coding mistake. With 393 downstream dependents and CVSS Scope:Changed with Confidentiality:High, successful exploitation on a NAT64-configured Kubernetes cluster or ISATAP-tunneled network can cascade from credential leak to full cloud account compromise. There is no public exploit and this is not in CISA KEV, but the listed Attack Complexity:High reflects the network routing prerequisite — not technical difficulty — meaning any attacker aware of IPv6 transition forms can weaponize this against a qualifying deployment. Upgrade pydantic-ai and pydantic-ai-slim to ≥2.0.0b3 (or ≥1.102.0 for the v1 branch), audit all force_download='allow-local' usages, and enforce egress filtering on 169.254.169.254 at the Kubernetes NetworkPolicy layer.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium-High in qualifying environments despite the 6.8 CVSS score. The vector (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) captures that exploitation is scoped beyond the framework itself — cloud IAM credential theft grants attacker access to the broader cloud environment, not just the agent process. Attack complexity is high only because of the network routing prerequisite (NAT64 or ISATAP), not because the bypass technique itself is sophisticated: IPv6 address transition forms are well-documented and trivial to construct. Kubernetes-deployed Pydantic AI agents running in IPv6-only or dual-stack-with-NAT64 clusters, which are increasingly common in enterprise environments, face materially elevated risk. The three-CVE pattern on the same bypass class suggests the blocklist approach is structurally unsound — defense-in-depth at the network egress and IAM layers is the only reliable long-term control.

How does the attack unfold?

Target Identification

Adversary identifies a Pydantic AI agent application configured with force_download='allow-local' deployed on a NAT64-enabled Kubernetes cluster or ISATAP-tunneled network through active scanning or reconnaissance of the target's AI stack.

AML.T0006

SSRF Payload Delivery

Adversary delivers a URL containing an IPv6 transition form of 169.254.169.254 (e.g., http://[::169.254.169.254]/latest/meta-data/iam/security-credentials/) to the agent via user input, injected document, or indirect prompt injection — bypassing the metadata IP blocklist that fails to decode the IPv6 transition encoding.

AML.T0049

Credential Exfiltration

The agent's HTTP fetch tool resolves and routes the IPv6 address through the NAT64 gateway to the cloud metadata endpoint (169.254.169.254), which returns short-term IAM credentials including AccessKeyId, SecretAccessKey, and SessionToken.

AML.T0106

Cloud Account Compromise

Adversary uses the leaked short-term IAM credentials to access cloud resources (S3 buckets, Secrets Manager, SSM Parameter Store) and pivot laterally within the cloud account, bypassing network perimeter controls entirely via legitimate cloud API calls.

AML.T0055

Target Identification

Adversary identifies a Pydantic AI agent application configured with force_download='allow-local' deployed on a NAT64-enabled Kubernetes cluster or ISATAP-tunneled network through active scanning or reconnaissance of the target's AI stack.

AML.T0006

SSRF Payload Delivery

Adversary delivers a URL containing an IPv6 transition form of 169.254.169.254 (e.g., http://[::169.254.169.254]/latest/meta-data/iam/security-credentials/) to the agent via user input, injected document, or indirect prompt injection — bypassing the metadata IP blocklist that fails to decode the IPv6 transition encoding.

AML.T0049

Credential Exfiltration

The agent's HTTP fetch tool resolves and routes the IPv6 address through the NAT64 gateway to the cloud metadata endpoint (169.254.169.254), which returns short-term IAM credentials including AccessKeyId, SecretAccessKey, and SessionToken.

AML.T0106

Cloud Account Compromise

Adversary uses the leaked short-term IAM credentials to access cloud resources (S3 buckets, Secrets Manager, SSM Parameter Store) and pivot laterally within the cloud account, bypassing network perimeter controls entirely via legitimate cloud API calls.

AML.T0055

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Pydantic AI	pip	—	No patch
17.7K 393 dependents Pushed 3d ago 78% patched ~188d to patch Full package profile →
Pydantic AI	pip	—	No patch
17.7K 393 dependents Pushed 3d ago 78% patched ~188d to patch Full package profile →

How severe is it?

CVSS 3.1

6.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC High

PR None

UI None

S Changed

C High

I None

A None

What should I do?

6 steps

Patch: upgrade pydantic-ai and pydantic-ai-slim to ≥2.0.0b3 (v2 branch) or ≥1.102.0 (v1 branch) — fix commit 1add06179ba4de259f7ab977620b697b7209f7e4.
Code audit: grep for force_download='allow-local' across all Pydantic AI agent codebases; remove this option or replace with explicit URL allowlists.
Network controls: apply Kubernetes NetworkPolicy or iptables/nftables rules to drop outbound traffic from agent pods to 169.254.169.254/32 and all IPv6 transition equivalents (::ffff:169.254.169.254, 64:ff9b::a9fe:a9fe, 64:ff9b:1::/48 range).
IMDSv2 enforcement: on AWS, require IMDSv2 (session-oriented) on all EC2 instances and EKS nodes — this adds a PUT-first requirement that most SSRF exploits cannot satisfy without browser-level request control.
IAM least privilege: audit and reduce IAM roles attached to agent execution environments; rotate credentials for any environment that was potentially exposed.
Detection: enable cloud metadata API access logging (AWS CloudTrail for IMDSv2; GCP metadata server audit logs) and alert on credential issuance from metadata endpoints to unexpected processes.

How is it classified?

Data Extraction Auth Bypass Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

A.9.2 - Security of AI system

NIST AI RMF

MANAGE 2.2 - Risk Treatments

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-48782?

CVE-2026-48782 is a Server-Side Request Forgery (SSRF) in Pydantic AI's cloud-metadata blocklist where five IPv6 transition forms — including NAT64 and ISATAP addresses — bypass the IP-blocking logic introduced in CVE-2026-46678, allowing a crafted URL to reach the cloud instance metadata endpoint (169.254.169.254) and return short-term IAM credentials. This is the third bypass of the same control class (CVE-2026-25580 → CVE-2026-46678 → CVE-2026-48782), signaling a structural gap in how the framework decodes IP representations before blocking rather than an isolated coding mistake. With 393 downstream dependents and CVSS Scope:Changed with Confidentiality:High, successful exploitation on a NAT64-configured Kubernetes cluster or ISATAP-tunneled network can cascade from credential leak to full cloud account compromise. There is no public exploit and this is not in CISA KEV, but the listed Attack Complexity:High reflects the network routing prerequisite — not technical difficulty — meaning any attacker aware of IPv6 transition forms can weaponize this against a qualifying deployment. Upgrade pydantic-ai and pydantic-ai-slim to ≥2.0.0b3 (or ≥1.102.0 for the v1 branch), audit all force_download='allow-local' usages, and enforce egress filtering on 169.254.169.254 at the Kubernetes NetworkPolicy layer.

Is CVE-2026-48782 actively exploited?

No confirmed active exploitation of CVE-2026-48782 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-48782?

1. Patch: upgrade pydantic-ai and pydantic-ai-slim to ≥2.0.0b3 (v2 branch) or ≥1.102.0 (v1 branch) — fix commit 1add06179ba4de259f7ab977620b697b7209f7e4. 2. Code audit: grep for force_download='allow-local' across all Pydantic AI agent codebases; remove this option or replace with explicit URL allowlists. 3. Network controls: apply Kubernetes NetworkPolicy or iptables/nftables rules to drop outbound traffic from agent pods to 169.254.169.254/32 and all IPv6 transition equivalents (::ffff:169.254.169.254, 64:ff9b::a9fe:a9fe, 64:ff9b:1::/48 range). 4. IMDSv2 enforcement: on AWS, require IMDSv2 (session-oriented) on all EC2 instances and EKS nodes — this adds a PUT-first requirement that most SSRF exploits cannot satisfy without browser-level request control. 5. IAM least privilege: audit and reduce IAM roles attached to agent execution environments; rotate credentials for any environment that was potentially exposed. 6. Detection: enable cloud metadata API access logging (AWS CloudTrail for IMDSv2; GCP metadata server audit logs) and alert on credential issuance from metadata endpoints to unexpected processes.

What systems are affected by CVE-2026-48782?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, cloud-deployed AI agents, Kubernetes AI workloads, multi-tool AI pipelines.

What is the CVSS score for CVE-2026-48782?

CVE-2026-48782 has a CVSS v3.1 base score of 6.8 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworkscloud-deployed AI agentsKubernetes AI workloadsmulti-tool AI pipelines

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.9.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous fix, CVE-2026-46678, did not decode, exposing cloud IAM short-term credentials. The previous remediation decoded only IPv4-mapped IPv6, 6to4, and the NAT64 well-known prefix, so the metadata guarantee did not hold for the remaining transition forms: IPv4-compatible IPv6 (::a.b.c.d), the NAT64 RFC 8215 local-use prefix (64:ff9b:1::/48), operator-chosen NAT64 prefixes, and ISATAP. The IPv6 wrapper is then delivered to the underlying IPv4 metadata endpoint. This occurs when an application using Pydantic AI opts a URL into force_download='allow-local' (which disables the default block on private/internal IPs) and runs on a network that actually routes the affected IPv6 transition forms: NAT64-configured networks (IPv6-only or dual-stack-with-NAT64 deployments, including some Kubernetes setups) for the NAT64 variants, or networks with an ISATAP tunnel for ISATAP. A standard dual-stack cloud VM or container does not route these forms and is not affected in practice. The IPv4-compatible and Teredo variants are deprecated and addressed as defense-in-depth. This is an incomplete fix of GHSA-cqp8-fcvh-x7r3 / CVE-2026-46678 (itself a follow-up to CVE-2026-25580). This issue has been fixed in version 2.0.0b3.

Exploitation Scenario

An adversary identifies a SaaS platform running Pydantic AI agents on a Kubernetes cluster with NAT64 networking enabled (common in IPv6-only enterprise clusters). The agent is configured with force_download='allow-local' to support internal document fetching workflows. The adversary crafts an indirect prompt injection by embedding the URL http://[::169.254.169.254]/latest/meta-data/iam/security-credentials/agent-role inside a document the agent is asked to process. When the agent fetches the URL, Pydantic AI's blocklist checks the IPv6 address against its known-bad list but fails to decode the IPv4-compatible IPv6 form to its underlying 169.254.169.254 value — the request passes through. The NAT64 gateway routes the request to the cloud metadata endpoint, which returns short-term AWS credentials (AccessKeyId, SecretAccessKey, SessionToken) in plaintext JSON. The adversary exfiltrates training data from S3, reads application secrets from AWS Secrets Manager, or escalates privileges within the cloud account — all without direct host network access and using only legitimate cloud API calls that blend into normal CloudTrail activity.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.