Description
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous fix, CVE-2026-46678, did not decode, exposing cloud IAM short-term credentials. The previous remediation decoded only IPv4-mapped IPv6, 6to4, and the NAT64 well-known prefix, so the metadata guarantee did not hold for the remaining transition forms: IPv4-compatible IPv6 (::a.b.c.d), the NAT64 RFC 8215 local-use prefix (64:ff9b:1::/48), operator-chosen NAT64 prefixes, and ISATAP. The IPv6 wrapper is then delivered to the underlying IPv4 metadata endpoint. This occurs when an application using Pydantic AI opts a URL into force_download='allow-local' (which disables the default block on private/internal IPs) and runs on a network that actually routes the affected IPv6 transition forms: NAT64-configured networks (IPv6-only or dual-stack-with-NAT64 deployments, including some Kubernetes setups) for the NAT64 variants, or networks with an ISATAP tunnel for ISATAP. A standard dual-stack cloud VM or container does not route these forms and is not affected in practice. The IPv4-compatible and Teredo variants are deprecated and addressed as defense-in-depth. This is an incomplete fix of GHSA-cqp8-fcvh-x7r3 / CVE-2026-46678 (itself a follow-up to CVE-2026-25580). This issue has been fixed in version 2.0.0b3.
Published: 2026-06-16
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an application using pydantic‑ai to bypass the cloud‑metadata blocklist by encoding a metadata IP in IPv6 transition forms such as IPv4‑compatible, SIIT/IVI, and local NAT64. This bypass enables the application to reach the internal cloud metadata endpoint and retrieve short‑term IAM credentials, which threatens confidentiality and affects the integrity of any services that use those credentials. The flaw is a Server‑Side Request Forgery identified as CWE‑918.

Affected Systems

Products pydantic:pydantic‑ai and pydantic:pydantic‑ai‑slim are affected in versions 1.56.0 through 1.101.0, 2.0.0b1 and 2.0.0b2. The fix is included in version 2.0.0b3. Any deployment of the affected versions that runs on a network employing NAT64, IPv6‑only, or ISATAP tunnels, or that enables force_download='allow-local', is vulnerable.

Risk and Exploitability

The CVSS score is 6.8 and the EPSS probability is below 1%, indicating a moderate severity but with a very low expected exploitation rate. The vulnerability is not listed in the CISA KEV catalog. Exploitation depends on the application enabling force_download='allow-local' and the network routing one of the IPv6 transition forms, which means that typical dual‑stack cloud VMs or containers that do not use these forms are not affected in practice.

Generated by OpenCVE AI on June 18, 2026 at 12:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pydantic‑ai to version 2.0.0b3 or later for both pydantic‑ai and pydantic‑ai‑slim.
  • Remove or disable the force_download='allow-local' configuration to keep private/internal IP blocklist active.
  • Ensure the deployment network does not route IPv6 transition forms such as NAT64 or ISATAP, or place additional firewall rules to block outbound requests to the internal metadata endpoint.

Generated by OpenCVE AI on June 18, 2026 at 12:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cg7w-rg45-pc59 pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678)
History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-289
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Pydantic
Pydantic pydantic-ai
Vendors & Products Pydantic
Pydantic pydantic-ai

Tue, 16 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous fix, CVE-2026-46678, did not decode, exposing cloud IAM short-term credentials. The previous remediation decoded only IPv4-mapped IPv6, 6to4, and the NAT64 well-known prefix, so the metadata guarantee did not hold for the remaining transition forms: IPv4-compatible IPv6 (::a.b.c.d), the NAT64 RFC 8215 local-use prefix (64:ff9b:1::/48), operator-chosen NAT64 prefixes, and ISATAP. The IPv6 wrapper is then delivered to the underlying IPv4 metadata endpoint. This occurs when an application using Pydantic AI opts a URL into force_download='allow-local' (which disables the default block on private/internal IPs) and runs on a network that actually routes the affected IPv6 transition forms: NAT64-configured networks (IPv6-only or dual-stack-with-NAT64 deployments, including some Kubernetes setups) for the NAT64 variants, or networks with an ISATAP tunnel for ISATAP. A standard dual-stack cloud VM or container does not route these forms and is not affected in practice. The IPv4-compatible and Teredo variants are deprecated and addressed as defense-in-depth. This is an incomplete fix of GHSA-cqp8-fcvh-x7r3 / CVE-2026-46678 (itself a follow-up to CVE-2026-25580). This issue has been fixed in version 2.0.0b3.
Title pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678)
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N'}


Subscriptions

Pydantic Pydantic-ai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-17T14:22:48.236Z

Reserved: 2026-05-22T20:18:20.365Z

Link: CVE-2026-48782

cve-icon Vulnrichment

Updated: 2026-06-17T14:22:42.483Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-16T22:49:26Z

Links: CVE-2026-48782 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:00:16Z

Weaknesses
  • CWE-289

    Authentication Bypass by Alternate Name

  • CWE-918

    Server-Side Request Forgery (SSRF)