Listen to this Post
How CVE-2026-46678 Works (Incomplete Fix of CVE-2026-25580)
- The original CVE-2026-25580 (fixed in v1.56.0) allowed SSRF via
force_download='allow-local', letting attackers reach internal IPs and cloud metadata endpoints (e.g.,169.254.169.254). - The fix in v1.56.0 added a blocklist for IPv4 private and metadata addresses when `allow-local` was used.
- However, v1.56.0 through v1.98.0 only blocked the raw IPv4 form of metadata IPs (e.g.,
169.254.169.254). - Attackers discovered they could bypass this blocklist by encoding the metadata IPv4 address into IPv6 transition forms.
5. Three key encoding techniques work:
• IPv4-mapped IPv6 – e.g., `::ffff:169.254.169.254`
• 6to4 – e.g., `2002:a9fe:a9fe::` (where `a9fe:a9fe` = 169.254.169.254)
• NAT64 well-known prefix – e.g., `64:ff9b::a9fe:a9fe`
- On dual-stack or translated networks, the operating system or router automatically unwraps these IPv6 packets and routes them to the underlying IPv4 endpoint.
- Pydantic AI’s `download_item()` helper would resolve these IPv6 addresses without detecting the blocked IPv4 destination.
- The vulnerable code path is triggered when an application creates a `FileUrl` (or
ImageUrl,AudioUrl,VideoUrl,DocumentUrl) with `force_download=’allow-local’` using a user‑influenced URL. - The server then makes an HTTP request to the unwrapped IPv4 address, reaching cloud metadata endpoints.
- The response returns IAM short‑term credentials, which can be exfiltrated to the attacker.
- This vulnerability is an incomplete fix of the original GHSA-2jrp-274c-jhv3 / CVE-2026-25580.
- The attack requires the application to explicitly opt into `allow-local` on a URL that can be influenced by untrusted input, making it narrower (AC:H) than the parent CVE.
DailyCVE Form
Platform: Pydantic AI
Version: >=1.56.0, <1.99.0
Vulnerability: SSRF (IPv6 Bypass)
Severity: Moderate
Date: 2026-05-21
Prediction: Immediate upgrade to 1.99.0
Analytics – What Undercode Say
Grep for dangerous force_download='allow-local' usage in your codebase grep -r "force_download='allow-local'" --include=".py" . Check installed pydantic-ai version pip show pydantic-ai | grep Version Test for IPv6-encoded metadata reachability (run from affected server) curl -v http://[::ffff:169.254.169.254]/latest/meta-data/ curl -v http://[2002:a9fe:a9fe::]/latest/meta-data/ curl -v http://[64:ff9b::a9fe:a9fe]/latest/meta-data/
Exploit
An attacker supplies a malicious file URL to a chat endpoint that uses FileUrl(..., force_download='allow-local'). The URL contains the cloud metadata IP (169.254.169.254) encoded as ::ffff:169.254.169.254, 2002:a9fe:a9fe::, or 64:ff9b::a9fe:a9fe. Pydantic AI resolves the IPv6 address and makes an internal request, returning IAM credentials in the response.
Protection from this CVE
- Upgrade to Pydantic AI v1.99.0 or later. The fixed version blocks IPv4‑mapped IPv6, 6to4, NAT64 prefixes, and extends the blocklist to additional IANA‑reserved ranges.
- If upgrade is not possible, never pass `force_download=’allow-local’` on URLs that can be controlled by untrusted input.
- As a workaround, manually resolve the hostname and validate the IP against a blocklist that includes all IPv6‑encoded forms before constructing a
FileUrl.
Impact
Successful exploitation allows an attacker to:
- Retrieve IAM short‑term credentials from AWS, GCP, Azure, or Alibaba Cloud metadata endpoints.
- Use those credentials to move laterally within the cloud environment, access sensitive data, or provision new resources.
- Scan internal networks and access other internal HTTP services. The impact is identical to the parent CVE (CVE-2026-25580), but the attack surface is narrower because the application must explicitly enable `allow-local` on a user‑controlled URL.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

