AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-cqp8-fcvh-x7r3: Pydantic AI: SSRF cloud-metadata blocklist bypass via IPv4-mapped IPv6 (Incomplete fix of CVE-2026-25580)

mediumvulnerability

security

Source: GitHub Advisory DatabaseMay 21, 2026CVE-2026-46678

Summary

Pydantic AI had a security flaw where attackers could bypass protections against accessing cloud-metadata endpoints (special internal servers that store sensitive credentials) by encoding the IP address in IPv6 transition forms (IPv4-mapped IPv6, 6to4, or NAT64, which are ways to represent IPv4 addresses using IPv6 format). This flaw only affects applications that explicitly allow local file downloads with the `force_download='allow-local'` setting on URLs that could be influenced by untrusted users.

Solution / Mitigation

Upgrade to Pydantic AI version 1.99.0 or later, which extends the blocklists to cover IPv6 transition forms that route to blocked IPv4 endpoints and adds protection for additional IANA-reserved IP ranges. For unpatched versions, avoid using `force_download='allow-local'` on URLs influenced by untrusted input, or resolve hostnames manually and validate them against your own blocklist including IPv6-encoded forms before creating the FileUrl.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

May 21, 2026

Classification

Attack SophisticationModerate

Impact (CIA+S)

confidentiality

AI Component TargetedAPI

Affected Vendors

Affected Packages

pydantic-ai-slim@>= 1.56.0, < 1.99.0 (fixed: 1.99.0)pydantic-ai@>= 1.56.0, < 1.99.0 (fixed: 1.99.0)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-cqp8-fcvh-x7r3

First tracked: May 21, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 92%