Listen to this Post
How CVE-2026-48782 Works
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. The framework includes a file‑download feature that, by default, blocks access to private/internal IP addresses and cloud metadata endpoints. However, developers can override this protection by passing `force_download=’allow-local’` to a `FileUrl` (or ImageUrl, AudioUrl, VideoUrl, DocumentUrl).
CVE-2026-48782 is an incomplete fix of the earlier CVE-2026-46678 (which itself was a follow‑up to CVE-2026-25580). The previous remediation decoded only three IPv6 transition forms: IPv4‑mapped IPv6, 6to4, and the NAT64 well‑known prefix. It did not handle the remaining standardized transition forms, leaving a gap in the metadata blocklist.
An attacker who can control the URL passed to a `FileUrl` with `force_download=’allow-local’` can encode the cloud metadata IP (e.g., 169.254.169.254) into one of these undecoded IPv6 forms:
– IPv4‑compatible IPv6 – `::a.b.c.d` (e.g., ::169.254.169.254)
– NAT64 RFC 8215 local‑use prefix – `64:ff9b:1::/48`
– Operator‑chosen NAT64 prefixes (any /96, /64, /48, etc.)
– ISATAP – addresses that embed the IPv4 in the interface identifier
The IPv6 wrapper is then delivered to the underlying IPv4 metadata endpoint, exposing cloud IAM short‑term credentials.
Crucially, the bypass is only exploitable in environments whose network actually routes these forms:
– NAT64‑configured networks – IPv6‑only or dual‑stack‑with‑NAT64 deployments, including some Kubernetes setups.
– ISATAP tunnels – for the ISATAP variant.
A standard dual‑stack cloud VM or container does not route these forms and is not affected in practice. The IPv4‑compatible and Teredo variants are deprecated and are addressed only as defense‑in‑depth.
The vulnerability affects Pydantic AI versions 1.56.0 through 1.101.0, and 2.0.0b1 and 2.0.0b2. It was fixed in 1.102.0 and 2.0.0b3.
DailyCVE Form:
Platform: ……. Pydantic AI
Version: …….. >=1.56.0<1.102.0, >=2.0.0b1<2.0.0b3
Vulnerability :…… SSRF cloud‑metadata blocklist bypass via IPv6 transition forms
Severity: ……. MEDIUM (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N – 6.8)
date: ………. 2026‑06‑16
Prediction: …… 2026‑05‑23 (1.102.0) / 2026‑06‑16 (2.0.0b3)
What Undercode Say:
Analytics – The attack requires three conditions to align:
1. Application calls `FileUrl(url, force_download=’allow-local’)` with a user‑controllable URL.
2. The URL points to an IPv6 address that embeds the metadata IP in one of the undecoded transition forms.
3. The deployment network actually routes that IPv6 form to the metadata endpoint (NAT64 or ISATAP).
Most cloud environments do not route these deprecated or specialised forms, so the real‑world attack surface is narrow. However, IPv6‑only Kubernetes clusters with NAT64 are at risk.
Bash commands & codes – To test whether your network routes NAT64 prefixes, you can run:
Check if NAT64 prefix is reachable ping6 64:ff9b::1.1.1.1 Or use curl to attempt metadata access via NAT64 curl -6 http://[64:ff9b:1::169.254.169.254]/latest/meta-data/
In Python, a vulnerable code snippet looks like:
from pydantic_ai import FileUrl Attacker-controlled URL user_url = "http://[::169.254.169.254]/latest/meta-data/iam/security-credentials/" This bypasses the blocklist because ::a.b.c.d is not decoded file = FileUrl(user_url, force_download='allow-local')
After the fix, the blocklist now decodes all standardized IPv6 transition forms before evaluation:
Fixed behavior – the embedded IPv4 is extracted and blocked The URL above will be rejected
Exploit:
An attacker who can influence the URL parameter of a `FileUrl` with `force_download=’allow-local’` can craft an IPv6 address that embeds the cloud metadata IP (169.254.169.254) using:
– IPv4‑compatible – `http://[::169.254.169.254]/latest/meta-data/`
– NAT64 local‑use – `http://[64:ff9b:1::169.254.169.254]/latest/meta-data/`
– Operator‑chosen NAT64 – e.g., `http://[2001:db8:64::169.254.169.254]/latest/meta-data/` (if the network uses that prefix)
– ISATAP – e.g., `http://[2001:db8::5efe:169.254.169.254]/latest/meta-data/`
If the application runs on a network that routes these forms (NAT64 or ISATAP), the request reaches the metadata endpoint and returns IAM credentials, which the attacker can then exfiltrate.
Protection:
- Upgrade to Pydantic AI 1.102.0 or later (or 2.0.0b3 or later on the 2.0 pre‑release line).
- Avoid passing `force_download=’allow-local’` on any URL that could be influenced by untrusted input.
- If an upgrade is not immediately possible, manually validate URLs: resolve the hostname and check against a blocklist that includes all IPv6 transition forms before constructing the
FileUrl. - Network‑level protection: if you run an IPv6‑only or NAT64‑enabled Kubernetes cluster, consider restricting egress to metadata endpoints or using network policies to block IPv6 traffic to the metadata IP.
Impact:
Confidentiality – An attacker can retrieve cloud IAM short‑term credentials, potentially leading to unauthorised access to cloud resources.
Integrity – No direct integrity impact; the vulnerability is strictly information disclosure.
Availability – No direct availability impact.
Scope – The attack requires a specific application configuration (allow-local) and a network that routes the chosen IPv6 transition form. Most standard dual‑stack deployments are not exploitable in practice. However, for affected environments, the exposure of credentials can be severe.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
