CVE-2026-46678

MEDIUMPre-NVD 6.86.8

6.8

Pydantic AI: SSRF cloud-metadata blocklist bypass via IPv4-mapped IPv6 (Incomplete fix of CVE-2026-25580)

Summary

When an application using Pydantic AI opts a URL into force_download='allow-local' (which disables the default block on private/internal IPs), the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form (IPv4-mapped IPv6, 6to4, or NAT64). Dual-stack and translated networks route the IPv6 wrapper to the underlying IPv4 endpoint, exposing cloud IAM short-term credentials.

This is an incomplete fix of GHSA-2jrp-274c-jhv3 / CVE-2026-25580. The parent advisory's remediation guaranteed that "cloud metadata endpoints are always blocked, even with allow-local." That guarantee did not hold for IPv6-encoded forms of the metadata IPs.

Severity

Same impact metrics as the parent CVE, but materially narrower attack surface (AC:H instead of AC:L), because exploitation requires the application to have opted into allow-local on a URL influenced by untrusted input.

Who Is Affected

Applications are affected only if they explicitly opt for FileUrl (ImageUrl, AudioUrl, VideoUrl, DocumentUrl) into force_download='allow-local' on a URL that is, or could be, influenced by untrusted input.

Applications are not affected if they use any of the bundled integrations to ingest user input, because they do not propagate force_download from external data:

Agent.to_web / clai web
VercelAIAdapter
AGUIAdapter / Agent.to_ag_ui

Applications that only download from developer-controlled URLs are not affected.

Remediation

Upgrade to 1.99.0 or later. The cloud-metadata and private-IP blocklists now apply to IPv6 transition forms that route to a blocked IPv4 endpoint (IPv4-mapped IPv6, 6to4, and NAT64 well-known prefix). The blocklists have also been extended to cover additional IANA-reserved IPv4 and IPv6 special-purpose ranges.

Workaround for Unpatched Versions

Avoid passing force_download='allow-local' on any URL that could be influenced by untrusted input. If developers must, resolve the hostname themselves and validate the result against their own metadata blocklist — including IPv6-encoded forms — before constructing the FileUrl.

Credits

Reported by j0hndo.

CVSS v3: 6.8
EG Score: 6.8(low)
EPSS: —
KEV: Not listed

Published

May 21, 2026

Last Modified

May 21, 2026

Vendor Advisories for CVE-2026-46678(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

GHSA-cqp8-fcvh-x7r3
GitHub Security AdvisoriesMedium
Pydantic AI: SSRF cloud-metadata blocklist bypass via IPv4-mapped IPv6 (Incomplete fix of CVE-2026-25580)

Data Freshness Timeline

(refreshed 0× in last 7d / 1× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-05-24 06:09 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-46678?

CVE-2026-46678 is a medium vulnerability published on May 21, 2026. Pydantic AI: SSRF cloud-metadata blocklist bypass via IPv4-mapped IPv6 (Incomplete fix of CVE-2026-25580) Summary When an application using Pydantic AI opts a URL into force_download='allow-local' (which disables the default block on private/internal IPs), the cloud-metadata blocklist could be…

When was CVE-2026-46678 disclosed?

CVE-2026-46678 was first published in the National Vulnerability Database on May 21, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

What is the CVSS score of CVE-2026-46678?

CVE-2026-46678 has a CVSS v3 base score of 6.8 (NVD). The EG score is currently aggregating — additional source signals are being incorporated as they become available..

How do I remediate CVE-2026-46678?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-46678, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-46678

Explore →

Is Your Infrastructure Affected by CVE-2026-46678?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs