Pydantic AI, SSRF Cloud-Metadata Blocklist Bypass via IPv6 Transition Forms, CVE-2026-46678 (Moderate)

Listen to this Post

How CVE-2026-46678 Works (Incomplete Fix of CVE-2026-25580)

  1. The original CVE-2026-25580 (fixed in v1.56.0) allowed SSRF via force_download='allow-local', letting attackers reach internal IPs and cloud metadata endpoints (e.g., 169.254.169.254).
  2. The fix in v1.56.0 added a blocklist for IPv4 private and metadata addresses when `allow-local` was used.
  3. However, v1.56.0 through v1.98.0 only blocked the raw IPv4 form of metadata IPs (e.g., 169.254.169.254).
  4. Attackers discovered they could bypass this blocklist by encoding the metadata IPv4 address into IPv6 transition forms.

5. Three key encoding techniques work:

• IPv4-mapped IPv6 – e.g., `::ffff:169.254.169.254`

• 6to4 – e.g., `2002:a9fe:a9fe::` (where `a9fe:a9fe` = 169.254.169.254)

• NAT64 well-known prefix – e.g., `64:ff9b::a9fe:a9fe`

  1. On dual-stack or translated networks, the operating system or router automatically unwraps these IPv6 packets and routes them to the underlying IPv4 endpoint.
  2. Pydantic AI’s `download_item()` helper would resolve these IPv6 addresses without detecting the blocked IPv4 destination.
  3. The vulnerable code path is triggered when an application creates a `FileUrl` (or ImageUrl, AudioUrl, VideoUrl, DocumentUrl) with `force_download=’allow-local’` using a user‑influenced URL.
  4. The server then makes an HTTP request to the unwrapped IPv4 address, reaching cloud metadata endpoints.
  5. The response returns IAM short‑term credentials, which can be exfiltrated to the attacker.
  6. This vulnerability is an incomplete fix of the original GHSA-2jrp-274c-jhv3 / CVE-2026-25580.
  7. The attack requires the application to explicitly opt into `allow-local` on a URL that can be influenced by untrusted input, making it narrower (AC:H) than the parent CVE.

DailyCVE Form

Platform: Pydantic AI
Version: >=1.56.0, <1.99.0
Vulnerability: SSRF (IPv6 Bypass)
Severity: Moderate
Date: 2026-05-21

Prediction: Immediate upgrade to 1.99.0

Analytics – What Undercode Say

Grep for dangerous force_download='allow-local' usage in your codebase
grep -r "force_download='allow-local'" --include=".py" .
Check installed pydantic-ai version
pip show pydantic-ai | grep Version
Test for IPv6-encoded metadata reachability (run from affected server)
curl -v http://[::ffff:169.254.169.254]/latest/meta-data/
curl -v http://[2002:a9fe:a9fe::]/latest/meta-data/
curl -v http://[64:ff9b::a9fe:a9fe]/latest/meta-data/

Exploit

An attacker supplies a malicious file URL to a chat endpoint that uses FileUrl(..., force_download='allow-local'). The URL contains the cloud metadata IP (169.254.169.254) encoded as ::ffff:169.254.169.254, 2002:a9fe:a9fe::, or 64:ff9b::a9fe:a9fe. Pydantic AI resolves the IPv6 address and makes an internal request, returning IAM credentials in the response.

Protection from this CVE

  • Upgrade to Pydantic AI v1.99.0 or later. The fixed version blocks IPv4‑mapped IPv6, 6to4, NAT64 prefixes, and extends the blocklist to additional IANA‑reserved ranges.
  • If upgrade is not possible, never pass `force_download=’allow-local’` on URLs that can be controlled by untrusted input.
  • As a workaround, manually resolve the hostname and validate the IP against a blocklist that includes all IPv6‑encoded forms before constructing a FileUrl.

Impact

Successful exploitation allows an attacker to:

  • Retrieve IAM short‑term credentials from AWS, GCP, Azure, or Alibaba Cloud metadata endpoints.
  • Use those credentials to move laterally within the cloud environment, access sensitive data, or provision new resources.
  • Scan internal networks and access other internal HTTP services. The impact is identical to the parent CVE (CVE-2026-25580), but the attack surface is narrower because the application must explicitly enable `allow-local` on a user‑controlled URL.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top