Description
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 1.34.0 to before 1.51.0, a path traversal vulnerability in the Pydantic AI web UI allows an attacker to serve arbitrary JavaScript in the context of the application by crafting a malicious URL. In affected versions, the CDN URL is constructed using a version query parameter from the request URL. This parameter is not validated, allowing path traversal sequences that cause the server to fetch and serve attacker-controlled HTML/JavaScript from an arbitrary source on the same CDN, instead of the legitimate chat UI package. If a victim clicks the link or visits it via an iframe, attacker-controlled code executes in their browser, enabling theft of chat history and other client-side data. This vulnerability only affects applications that use Agent.to_web to serve a chat interface and clai web to serve a chat interface from the CLI. These are typically run locally (on localhost), but may also be deployed on a remote server. This vulnerability is fixed in 1.51.0.
Published: 2026-02-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS via Path Traversal
Action: Patch Now
AI Analysis

Impact

A path traversal flaw in Pydantic AI’s web UI allows an attacker to construct a malicious URL that causes the server to load and serve arbitrary JavaScript from the CDN. When the vulnerable version query parameter is unvalidated, the server fetches attacker‑controlled HTML/JavaScript and delivers it to the victim’s browser, resulting in a stored cross‑site scripting (XSS) attack that can steal chat history and other client‑side data. The weakness is reflected in CWE‑22 (Path Traversal) and CWE‑79 (Cross‑Site Scripting).

Affected Systems

The vulnerability is present in Pydantic AI versions from 1.34.0 up to, but not including, 1.51.0. It affects applications that use Agent.to_web or Agent.cli to expose a chat interface, typically running locally on localhost but also possible on remote servers.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate‑to‑high severity; the EPSS score is below 1%, implying a low current exploitation probability, and it is not listed in the CISA KEV catalog. An attacker would need to deliver a crafted URL to a victim or embed it in an iframe; the victim must then view the page for the XSS to execute. The risk is higher if the web interface is publicly accessible, whereas a strictly local deployment limits exposure.

Generated by OpenCVE AI on April 17, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pydantic AI to version 1.51.0 or later to remove the vulnerable code path.
  • Restrict access to the Agent.to_web and Agent.cli chat interfaces to trusted users or disable them when not needed.
  • Implement a strict Content Security Policy that disallows inline scripts and limits script sources to a known CDN.
  • If an upgrade cannot be performed immediately, sanitize or whitelist the version query parameter used to fetch the CDN resource to prevent traversal from the client’s input.

Generated by OpenCVE AI on April 17, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wjp5-868j-wqv7 Pydantic AI has Stored XSS via Path Traversal in Web UI CDN URL
History

Fri, 20 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Pydantic pydantic Ai
CPEs cpe:2.3:a:pydantic:pydantic_ai:*:*:*:*:*:python:*:*
Vendors & Products Pydantic pydantic Ai

Tue, 10 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Pydantic
Pydantic pydantic-ai
Vendors & Products Pydantic
Pydantic pydantic-ai

Fri, 06 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 1.34.0 to before 1.51.0, a path traversal vulnerability in the Pydantic AI web UI allows an attacker to serve arbitrary JavaScript in the context of the application by crafting a malicious URL. In affected versions, the CDN URL is constructed using a version query parameter from the request URL. This parameter is not validated, allowing path traversal sequences that cause the server to fetch and serve attacker-controlled HTML/JavaScript from an arbitrary source on the same CDN, instead of the legitimate chat UI package. If a victim clicks the link or visits it via an iframe, attacker-controlled code executes in their browser, enabling theft of chat history and other client-side data. This vulnerability only affects applications that use Agent.to_web to serve a chat interface and clai web to serve a chat interface from the CLI. These are typically run locally (on localhost), but may also be deployed on a remote server. This vulnerability is fixed in 1.51.0.
Title Pydantic AI affected by Stored XSS via Path Traversal in Web UI CDN URL
Weaknesses CWE-22
CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Pydantic Pydantic-ai Pydantic Ai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T20:16:23.201Z

Reserved: 2026-02-04T05:15:41.791Z

Link: CVE-2026-25640

cve-icon Vulnrichment

Updated: 2026-02-06T20:16:19.783Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T20:16:11.110

Modified: 2026-02-20T20:59:26.067

Link: CVE-2026-25640

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-06T20:01:53Z

Links: CVE-2026-25640 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses