Description
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0.
Published: 2026-02-06
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Internal Resource Disclosure and Credential Theft
Action: Apply Patch
AI Analysis

Impact

Pydantic AI, a Python agent framework used for Generative AI workflows, contains an SSRF flaw in its URL download handling between versions 0.0.26 and before 1.56.0. Attackers who can feed message history from untrusted users can embed malicious URLs, causing the server to issue HTTP requests to internal IPs. This enables the attacker to read sensitive internal services, export cloud credential endpoints, or otherwise access data that should remain private. The weakness directly maps to CWE‑918, representing an input‑validation flaw that permits unintended outgoing network traffic.

Affected Systems

The affected product is Pydantic AI from the Pydantic organization. Versions from 0.0.26 up to, but not including, 1.56.0 are vulnerable. Any deployment that accepts message history from external clients without restricting the URL domain is at risk.

Risk and Exploitability

The CVSS score of 8.6 ranks this vulnerability as high severity, yet the EPSS probability is less than 1 %, indicating current exploitation attempts are rare. It is not listed in the CISA KEV catalogue. An attacker must first supply crafted content that the application deems as legitimate message history, which is usually done over an HTTP or WebSocket interface. Once a valid request is accepted, the server executes a GET or equivalent request to the supplied URL, potentially reaching internal resources that are normally inaccessible to external traffic. Because the vector is server‑side, the attacker does not need elevated privileges on the target machine, only the ability to influence the message history content.

Generated by OpenCVE AI on April 17, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pydantic AI to version 1.56.0 or later, where the SSRF issue has been fixed.
  • Restrict the origins of message history to trusted users or enforce strict input validation that rejects URLs pointing to the internal network or private address ranges.
  • Limit outbound network traffic from the host running Pydantic AI by enforcing firewall rules or network segmentation, preventing it from reaching internal services that should remain isolated.

Generated by OpenCVE AI on April 17, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2jrp-274c-jhv3 Pydantic AI has Server-Side Request Forgery (SSRF) in URL Download Handling
History

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Pydantic pydantic Ai
CPEs cpe:2.3:a:pydantic:pydantic_ai:*:*:*:*:*:python:*:*
Vendors & Products Pydantic pydantic Ai

Tue, 10 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Pydantic
Pydantic pydantic-ai
Vendors & Products Pydantic
Pydantic pydantic-ai

Fri, 06 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0.
Title Pydantic AI Affected by Server-Side Request Forgery (SSRF) in URL Download Handling
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Pydantic Pydantic-ai Pydantic Ai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:27:37.772Z

Reserved: 2026-02-03T01:02:46.715Z

Link: CVE-2026-25580

cve-icon Vulnrichment

Updated: 2026-02-09T15:22:00.087Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T21:16:17.167

Modified: 2026-02-20T21:01:59.270

Link: CVE-2026-25580

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-06T21:01:38Z

Links: CVE-2026-25580 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses