VYPR
← All advisories
Medium severity6.8GHSA Advisory· Published May 21, 2026· Updated May 21, 2026

Pydantic AI: SSRF cloud-metadata blocklist bypass via IPv4-mapped IPv6 (Incomplete fix of CVE-2026-25580)

CVE-2026-46678

Description

Summary

When an application using Pydantic AI opts a URL into force_download='allow-local' (which disables the default block on private/internal IPs), the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form (IPv4-mapped IPv6, 6to4, or NAT64). Dual-stack and translated networks route the IPv6 wrapper to the underlying IPv4 endpoint, exposing cloud IAM short-term credentials.

This is an incomplete fix of GHSA-2jrp-274c-jhv3 / CVE-2026-25580. The parent advisory's remediation guaranteed that "cloud metadata endpoints are always blocked, even with allow-local." That guarantee did not hold for IPv6-encoded forms of the metadata IPs.

Severity

Same impact metrics as the parent CVE, but materially narrower attack surface (AC:H instead of AC:L), because exploitation requires the application to have opted into allow-local on a URL influenced by untrusted input.

Who

Is Affected

Applications are affected only if they explicitly opt for FileUrl (ImageUrl, AudioUrl, VideoUrl, DocumentUrl) into force_download='allow-local' on a URL that is, or could be, influenced by untrusted input.

Applications are not affected if they use any of the bundled integrations to ingest user input, because they do not propagate force_download from external data:

  • Agent.to_web / clai web
  • VercelAIAdapter
  • AGUIAdapter / Agent.to_ag_ui

Applications that only download from developer-controlled URLs are not affected.

Remediation

Upgrade to 1.99.0 or later. The cloud-metadata and private-IP blocklists now apply to IPv6 transition forms that route to a blocked IPv4 endpoint (IPv4-mapped IPv6, 6to4, and NAT64 well-known prefix). The blocklists have also been extended to cover additional IANA-reserved IPv4 and IPv6 special-purpose ranges.

Workaround for

Unpatched Versions

Avoid passing force_download='allow-local' on any URL that could be influenced by untrusted input. If developers must, resolve the hostname themselves and validate the result against their own metadata blocklist — including IPv6-encoded forms — before constructing the FileUrl.

Credits

Reported by j0hndo.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Pydantic AI's cloud-metadata blocklist can be bypassed via IPv6 transition forms when `force_download='allow-local'` is used, exposing cloud IAM credentials.

Vulnerability

CVE-2026-46678 is an incomplete fix of CVE-2026-25580 [1]. The cloud-metadata blocklist introduced in version 1.56.0 to prevent SSRF attacks did not account for IPv6 transition forms such as IPv4-mapped IPv6, 6to4, or NAT64 addresses [2]. When an application opts a URL into force_download='allow-local', the blocklist can be bypassed by encoding the metadata IP (e.g., 169.254.169.254) in one of these IPv6 forms [2][3].

Exploitation

Exploitation requires the application to explicitly set force_download='allow-local' on a FileUrl (or ImageUrl, AudioUrl, VideoUrl, DocumentUrl) that is influenced by untrusted input [2]. Applications using bundled integrations like Agent.to_web or VercelAIAdapter are not affected because they do not propagate force_download from external data [2][3]. On dual-stack or translated networks, the IPv6 wrapper routes to the underlying IPv4 endpoint, reaching the cloud metadata service [2].

Impact

An attacker can retrieve cloud IAM short-term credentials (e.g., AWS IMDS, GCP, Azure) from the metadata endpoint, leading to potential cloud account compromise [2][3].

Mitigation

Upgrade to Pydantic AI version 1.99.0 or later, which extends the blocklists to cover IPv6 transition forms and additional IANA-reserved ranges [2][3]. As a workaround, avoid passing force_download='allow-local' on any URL that could be influenced by untrusted input [2].

References
  1. Server-Side Request Forgery (SSRF) in URL Download Handling
  2. SSRF cloud-metadata blocklist bypass via IPv6-encoded address forms
  3. CVE-2026-46678 - GitHub Advisory Database

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Pydantic/Pydantic AiGHSA2 versions
    >= 1.56.0, < 1.99.0+ 1 more
    • (no CPE)range: >= 1.56.0, < 1.99.0
    • (no CPE)range: <1.99.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.