Search
Find a vulnerability
Search criteria
6 vulnerabilities found for pydantic-ai by pydantic
CVE-2026-48782 (GCVE-0-2026-48782)
Vulnerability from nvd – Published: 2026-06-16 22:49 – Updated: 2026-06-17 14:22
VLAI
Title
pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678)
Summary
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous fix, CVE-2026-46678, did not decode, exposing cloud IAM short-term credentials. The previous remediation decoded only IPv4-mapped IPv6, 6to4, and the NAT64 well-known prefix, so the metadata guarantee did not hold for the remaining transition forms: IPv4-compatible IPv6 (::a.b.c.d), the NAT64 RFC 8215 local-use prefix (64:ff9b:1::/48), operator-chosen NAT64 prefixes, and ISATAP. The IPv6 wrapper is then delivered to the underlying IPv4 metadata endpoint. This occurs when an application using Pydantic AI opts a URL into force_download='allow-local' (which disables the default block on private/internal IPs) and runs on a network that actually routes the affected IPv6 transition forms: NAT64-configured networks (IPv6-only or dual-stack-with-NAT64 deployments, including some Kubernetes setups) for the NAT64 variants, or networks with an ISATAP tunnel for ISATAP. A standard dual-stack cloud VM or container does not route these forms and is not affected in practice. The IPv4-compatible and Teredo variants are deprecated and addressed as defense-in-depth. This is an incomplete fix of GHSA-cqp8-fcvh-x7r3 / CVE-2026-46678 (itself a follow-up to CVE-2026-25580). This issue has been fixed in version 2.0.0b3.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/pydantic/pydantic-ai/security/… | x_refsource_CONFIRM |
| https://github.com/pydantic/pydantic-ai/pull/5596 | x_refsource_MISC |
| https://github.com/pydantic/pydantic-ai/commit/1a… | x_refsource_MISC |
| https://github.com/pydantic/pydantic-ai/releases/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| pydantic | pydantic-ai |
Affected:
>= 1.56.0, < 1.102.0
Affected: >= 2.0.0b1, < 2.0.0b3 |
|
| pydantic | pydantic-ai-slim |
Affected:
>= 2.0.0b1, < 2.0.0b3
Affected: >= 1.56.0, < 1.102.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48782",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T14:22:37.373304Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:22:48.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pydantic-ai",
"vendor": "pydantic",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.56.0, \u003c 1.102.0"
},
{
"status": "affected",
"version": "\u003e= 2.0.0b1, \u003c 2.0.0b3"
}
]
},
{
"product": "pydantic-ai-slim",
"vendor": "pydantic",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0b1, \u003c 2.0.0b3"
},
{
"status": "affected",
"version": "\u003e= 1.56.0, \u003c 1.102.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous fix, CVE-2026-46678, did not decode, exposing cloud IAM short-term credentials. The previous remediation decoded only IPv4-mapped IPv6, 6to4, and the NAT64 well-known prefix, so the metadata guarantee did not hold for the remaining transition forms: IPv4-compatible IPv6 (::a.b.c.d), the NAT64 RFC 8215 local-use prefix (64:ff9b:1::/48), operator-chosen NAT64 prefixes, and ISATAP. The IPv6 wrapper is then delivered to the underlying IPv4 metadata endpoint. This occurs when an application using Pydantic AI opts a URL into force_download=\u0027allow-local\u0027 (which disables the default block on private/internal IPs) and runs on a network that actually routes the affected IPv6 transition forms: NAT64-configured networks (IPv6-only or dual-stack-with-NAT64 deployments, including some Kubernetes setups) for the NAT64 variants, or networks with an ISATAP tunnel for ISATAP. A standard dual-stack cloud VM or container does not route these forms and is not affected in practice. The IPv4-compatible and Teredo variants are deprecated and addressed as defense-in-depth. This is an incomplete fix of GHSA-cqp8-fcvh-x7r3 / CVE-2026-46678 (itself a follow-up to CVE-2026-25580). This issue has been fixed in version 2.0.0b3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T22:49:26.750Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-cg7w-rg45-pc59",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-cg7w-rg45-pc59"
},
{
"name": "https://github.com/pydantic/pydantic-ai/pull/5596",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pydantic/pydantic-ai/pull/5596"
},
{
"name": "https://github.com/pydantic/pydantic-ai/commit/1add06179ba4de259f7ab977620b697b7209f7e4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pydantic/pydantic-ai/commit/1add06179ba4de259f7ab977620b697b7209f7e4"
},
{
"name": "https://github.com/pydantic/pydantic-ai/releases/tag/v1.102.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pydantic/pydantic-ai/releases/tag/v1.102.0"
}
],
"source": {
"advisory": "GHSA-cg7w-rg45-pc59",
"discovery": "UNKNOWN"
},
"title": "pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48782",
"datePublished": "2026-06-16T22:49:26.750Z",
"dateReserved": "2026-05-22T20:18:20.365Z",
"dateUpdated": "2026-06-17T14:22:48.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25580 (GCVE-0-2026-25580)
Vulnerability from nvd – Published: 2026-02-06 21:01 – Updated: 2026-06-30 12:06
VLAI
Title
Pydantic AI Affected by Server-Side Request Forgery (SSRF) in URL Download Handling
Summary
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/pydantic/pydantic-ai/security/… | x_refsource_CONFIRM |
| https://github.com/pydantic/pydantic-ai/commit/d3… | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-25580 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2437781 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| pydantic | pydantic-ai |
Affected:
>= 0.0.26, < 1.56.0
|
|
| Red Hat | Red Hat Enterprise Linux AI (RHEL AI) 3 |
cpe:/a:redhat:enterprise_linux_ai:3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25580",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-09T15:21:59.190923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T15:27:37.772Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
}
],
"datePublic": "2026-02-06T21:01:38.035Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Pydantic AI. This Server-Side Request Forgery (SSRF) vulnerability allows a remote attacker to include malicious URLs within untrusted message history. When processed by the application, these URLs can force the server to make unauthorized HTTP requests to internal network resources. This could lead to the disclosure of sensitive internal information or access to cloud credentials."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:06:33.493Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-25580"
},
{
"name": "RHBZ#2437781",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437781"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25580.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-09T11:05:31.886Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-02-06T21:01:38.035Z",
"value": "Made public."
}
],
"title": "Pydantic AI: Pydantic AI: Information disclosure via Server-Side Request Forgery (SSRF) through malicious URLs in message history.",
"workarounds": [
{
"lang": "en",
"value": "To mitigate, configure applications using Pydantic AI to avoid accepting message history from untrusted external sources. Implement robust input validation and sanitization for all URLs processed by the application. Additionally, restrict network access for the Pydantic AI application to only essential internal and external resources, thereby limiting the potential impact of SSRF attacks."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "pydantic-ai",
"vendor": "pydantic",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.0.26, \u003c 1.56.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI\u0027s URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T21:01:38.035Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3"
},
{
"name": "https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301"
}
],
"source": {
"advisory": "GHSA-2jrp-274c-jhv3",
"discovery": "UNKNOWN"
},
"title": "Pydantic AI Affected by Server-Side Request Forgery (SSRF) in URL Download Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25580",
"datePublished": "2026-02-06T21:01:38.035Z",
"dateReserved": "2026-02-03T01:02:46.715Z",
"dateUpdated": "2026-06-30T12:06:33.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25640 (GCVE-0-2026-25640)
Vulnerability from nvd – Published: 2026-02-06 20:01 – Updated: 2026-06-30 12:06
VLAI
Title
Pydantic AI affected by Stored XSS via Path Traversal in Web UI CDN URL
Summary
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 1.34.0 to before 1.51.0, a path traversal vulnerability in the Pydantic AI web UI allows an attacker to serve arbitrary JavaScript in the context of the application by crafting a malicious URL. In affected versions, the CDN URL is constructed using a version query parameter from the request URL. This parameter is not validated, allowing path traversal sequences that cause the server to fetch and serve attacker-controlled HTML/JavaScript from an arbitrary source on the same CDN, instead of the legitimate chat UI package. If a victim clicks the link or visits it via an iframe, attacker-controlled code executes in their browser, enabling theft of chat history and other client-side data. This vulnerability only affects applications that use Agent.to_web to serve a chat interface and clai web to serve a chat interface from the CLI. These are typically run locally (on localhost), but may also be deployed on a remote server. This vulnerability is fixed in 1.51.0.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/pydantic/pydantic-ai/security/… | x_refsource_CONFIRM |
| https://github.com/pydantic/pydantic-ai/releases/… | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-25640 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2437753 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| pydantic | pydantic-ai |
Affected:
>= 1.34.0, < 1.51.0
|
|
| Red Hat | Red Hat Enterprise Linux AI (RHEL AI) 3 |
cpe:/a:redhat:enterprise_linux_ai:3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25640",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-06T20:16:17.763231Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T20:16:23.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
}
],
"datePublic": "2026-02-06T20:01:53.892Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Pydantic AI. A remote attacker can exploit a path traversal vulnerability in the Pydantic AI web UI by crafting a malicious URL. This vulnerability arises from insufficient validation of the version query parameter, allowing the server to fetch and serve attacker-controlled HTML or JavaScript. If a victim clicks on such a link, malicious code can execute in their browser, potentially leading to the theft of sensitive client-side data, including chat history."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:06:32.866Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-25640"
},
{
"name": "RHBZ#2437753",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437753"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25640.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-09T11:03:46.831Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-02-06T20:01:53.892Z",
"value": "Made public."
}
],
"title": "Pydantic AI: Pydantic AI: Arbitrary code execution and information disclosure via path traversal in web UI",
"workarounds": [
{
"lang": "en",
"value": "To reduce exposure, restrict network access to the Pydantic AI web interface. If the application is deployed on a remote server, configure firewall rules to limit access to trusted networks or localhost. This prevents untrusted clients from reaching the vulnerable component. After applying firewall changes, ensure the rules are persistent and the firewall service is reloaded."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "pydantic-ai",
"vendor": "pydantic",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.34.0, \u003c 1.51.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 1.34.0 to before 1.51.0, a path traversal vulnerability in the Pydantic AI web UI allows an attacker to serve arbitrary JavaScript in the context of the application by crafting a malicious URL. In affected versions, the CDN URL is constructed using a version query parameter from the request URL. This parameter is not validated, allowing path traversal sequences that cause the server to fetch and serve attacker-controlled HTML/JavaScript from an arbitrary source on the same CDN, instead of the legitimate chat UI package. If a victim clicks the link or visits it via an iframe, attacker-controlled code executes in their browser, enabling theft of chat history and other client-side data. This vulnerability only affects applications that use Agent.to_web to serve a chat interface and clai web to serve a chat interface from the CLI. These are typically run locally (on localhost), but may also be deployed on a remote server. This vulnerability is fixed in 1.51.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T20:01:53.892Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-wjp5-868j-wqv7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-wjp5-868j-wqv7"
},
{
"name": "https://github.com/pydantic/pydantic-ai/releases/tag/v1.51.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pydantic/pydantic-ai/releases/tag/v1.51.0"
}
],
"source": {
"advisory": "GHSA-wjp5-868j-wqv7",
"discovery": "UNKNOWN"
},
"title": "Pydantic AI affected by Stored XSS via Path Traversal in Web UI CDN URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25640",
"datePublished": "2026-02-06T20:01:53.892Z",
"dateReserved": "2026-02-04T05:15:41.791Z",
"dateUpdated": "2026-06-30T12:06:32.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48782 (GCVE-0-2026-48782)
Vulnerability from cvelistv5 – Published: 2026-06-16 22:49 – Updated: 2026-06-17 14:22
VLAI
Title
pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678)
Summary
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous fix, CVE-2026-46678, did not decode, exposing cloud IAM short-term credentials. The previous remediation decoded only IPv4-mapped IPv6, 6to4, and the NAT64 well-known prefix, so the metadata guarantee did not hold for the remaining transition forms: IPv4-compatible IPv6 (::a.b.c.d), the NAT64 RFC 8215 local-use prefix (64:ff9b:1::/48), operator-chosen NAT64 prefixes, and ISATAP. The IPv6 wrapper is then delivered to the underlying IPv4 metadata endpoint. This occurs when an application using Pydantic AI opts a URL into force_download='allow-local' (which disables the default block on private/internal IPs) and runs on a network that actually routes the affected IPv6 transition forms: NAT64-configured networks (IPv6-only or dual-stack-with-NAT64 deployments, including some Kubernetes setups) for the NAT64 variants, or networks with an ISATAP tunnel for ISATAP. A standard dual-stack cloud VM or container does not route these forms and is not affected in practice. The IPv4-compatible and Teredo variants are deprecated and addressed as defense-in-depth. This is an incomplete fix of GHSA-cqp8-fcvh-x7r3 / CVE-2026-46678 (itself a follow-up to CVE-2026-25580). This issue has been fixed in version 2.0.0b3.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/pydantic/pydantic-ai/security/… | x_refsource_CONFIRM |
| https://github.com/pydantic/pydantic-ai/pull/5596 | x_refsource_MISC |
| https://github.com/pydantic/pydantic-ai/commit/1a… | x_refsource_MISC |
| https://github.com/pydantic/pydantic-ai/releases/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| pydantic | pydantic-ai |
Affected:
>= 1.56.0, < 1.102.0
Affected: >= 2.0.0b1, < 2.0.0b3 |
|
| pydantic | pydantic-ai-slim |
Affected:
>= 2.0.0b1, < 2.0.0b3
Affected: >= 1.56.0, < 1.102.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48782",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T14:22:37.373304Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:22:48.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pydantic-ai",
"vendor": "pydantic",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.56.0, \u003c 1.102.0"
},
{
"status": "affected",
"version": "\u003e= 2.0.0b1, \u003c 2.0.0b3"
}
]
},
{
"product": "pydantic-ai-slim",
"vendor": "pydantic",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0b1, \u003c 2.0.0b3"
},
{
"status": "affected",
"version": "\u003e= 1.56.0, \u003c 1.102.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous fix, CVE-2026-46678, did not decode, exposing cloud IAM short-term credentials. The previous remediation decoded only IPv4-mapped IPv6, 6to4, and the NAT64 well-known prefix, so the metadata guarantee did not hold for the remaining transition forms: IPv4-compatible IPv6 (::a.b.c.d), the NAT64 RFC 8215 local-use prefix (64:ff9b:1::/48), operator-chosen NAT64 prefixes, and ISATAP. The IPv6 wrapper is then delivered to the underlying IPv4 metadata endpoint. This occurs when an application using Pydantic AI opts a URL into force_download=\u0027allow-local\u0027 (which disables the default block on private/internal IPs) and runs on a network that actually routes the affected IPv6 transition forms: NAT64-configured networks (IPv6-only or dual-stack-with-NAT64 deployments, including some Kubernetes setups) for the NAT64 variants, or networks with an ISATAP tunnel for ISATAP. A standard dual-stack cloud VM or container does not route these forms and is not affected in practice. The IPv4-compatible and Teredo variants are deprecated and addressed as defense-in-depth. This is an incomplete fix of GHSA-cqp8-fcvh-x7r3 / CVE-2026-46678 (itself a follow-up to CVE-2026-25580). This issue has been fixed in version 2.0.0b3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T22:49:26.750Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-cg7w-rg45-pc59",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-cg7w-rg45-pc59"
},
{
"name": "https://github.com/pydantic/pydantic-ai/pull/5596",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pydantic/pydantic-ai/pull/5596"
},
{
"name": "https://github.com/pydantic/pydantic-ai/commit/1add06179ba4de259f7ab977620b697b7209f7e4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pydantic/pydantic-ai/commit/1add06179ba4de259f7ab977620b697b7209f7e4"
},
{
"name": "https://github.com/pydantic/pydantic-ai/releases/tag/v1.102.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pydantic/pydantic-ai/releases/tag/v1.102.0"
}
],
"source": {
"advisory": "GHSA-cg7w-rg45-pc59",
"discovery": "UNKNOWN"
},
"title": "pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48782",
"datePublished": "2026-06-16T22:49:26.750Z",
"dateReserved": "2026-05-22T20:18:20.365Z",
"dateUpdated": "2026-06-17T14:22:48.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25580 (GCVE-0-2026-25580)
Vulnerability from cvelistv5 – Published: 2026-02-06 21:01 – Updated: 2026-06-30 12:06
VLAI
Title
Pydantic AI Affected by Server-Side Request Forgery (SSRF) in URL Download Handling
Summary
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/pydantic/pydantic-ai/security/… | x_refsource_CONFIRM |
| https://github.com/pydantic/pydantic-ai/commit/d3… | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-25580 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2437781 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| pydantic | pydantic-ai |
Affected:
>= 0.0.26, < 1.56.0
|
|
| Red Hat | Red Hat Enterprise Linux AI (RHEL AI) 3 |
cpe:/a:redhat:enterprise_linux_ai:3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25580",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-09T15:21:59.190923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T15:27:37.772Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
}
],
"datePublic": "2026-02-06T21:01:38.035Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Pydantic AI. This Server-Side Request Forgery (SSRF) vulnerability allows a remote attacker to include malicious URLs within untrusted message history. When processed by the application, these URLs can force the server to make unauthorized HTTP requests to internal network resources. This could lead to the disclosure of sensitive internal information or access to cloud credentials."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:06:33.493Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-25580"
},
{
"name": "RHBZ#2437781",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437781"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25580.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-09T11:05:31.886Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-02-06T21:01:38.035Z",
"value": "Made public."
}
],
"title": "Pydantic AI: Pydantic AI: Information disclosure via Server-Side Request Forgery (SSRF) through malicious URLs in message history.",
"workarounds": [
{
"lang": "en",
"value": "To mitigate, configure applications using Pydantic AI to avoid accepting message history from untrusted external sources. Implement robust input validation and sanitization for all URLs processed by the application. Additionally, restrict network access for the Pydantic AI application to only essential internal and external resources, thereby limiting the potential impact of SSRF attacks."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "pydantic-ai",
"vendor": "pydantic",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.0.26, \u003c 1.56.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI\u0027s URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T21:01:38.035Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3"
},
{
"name": "https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301"
}
],
"source": {
"advisory": "GHSA-2jrp-274c-jhv3",
"discovery": "UNKNOWN"
},
"title": "Pydantic AI Affected by Server-Side Request Forgery (SSRF) in URL Download Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25580",
"datePublished": "2026-02-06T21:01:38.035Z",
"dateReserved": "2026-02-03T01:02:46.715Z",
"dateUpdated": "2026-06-30T12:06:33.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25640 (GCVE-0-2026-25640)
Vulnerability from cvelistv5 – Published: 2026-02-06 20:01 – Updated: 2026-06-30 12:06
VLAI
Title
Pydantic AI affected by Stored XSS via Path Traversal in Web UI CDN URL
Summary
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 1.34.0 to before 1.51.0, a path traversal vulnerability in the Pydantic AI web UI allows an attacker to serve arbitrary JavaScript in the context of the application by crafting a malicious URL. In affected versions, the CDN URL is constructed using a version query parameter from the request URL. This parameter is not validated, allowing path traversal sequences that cause the server to fetch and serve attacker-controlled HTML/JavaScript from an arbitrary source on the same CDN, instead of the legitimate chat UI package. If a victim clicks the link or visits it via an iframe, attacker-controlled code executes in their browser, enabling theft of chat history and other client-side data. This vulnerability only affects applications that use Agent.to_web to serve a chat interface and clai web to serve a chat interface from the CLI. These are typically run locally (on localhost), but may also be deployed on a remote server. This vulnerability is fixed in 1.51.0.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/pydantic/pydantic-ai/security/… | x_refsource_CONFIRM |
| https://github.com/pydantic/pydantic-ai/releases/… | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-25640 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2437753 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| pydantic | pydantic-ai |
Affected:
>= 1.34.0, < 1.51.0
|
|
| Red Hat | Red Hat Enterprise Linux AI (RHEL AI) 3 |
cpe:/a:redhat:enterprise_linux_ai:3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25640",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-06T20:16:17.763231Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T20:16:23.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
}
],
"datePublic": "2026-02-06T20:01:53.892Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Pydantic AI. A remote attacker can exploit a path traversal vulnerability in the Pydantic AI web UI by crafting a malicious URL. This vulnerability arises from insufficient validation of the version query parameter, allowing the server to fetch and serve attacker-controlled HTML or JavaScript. If a victim clicks on such a link, malicious code can execute in their browser, potentially leading to the theft of sensitive client-side data, including chat history."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:06:32.866Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-25640"
},
{
"name": "RHBZ#2437753",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437753"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25640.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-09T11:03:46.831Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-02-06T20:01:53.892Z",
"value": "Made public."
}
],
"title": "Pydantic AI: Pydantic AI: Arbitrary code execution and information disclosure via path traversal in web UI",
"workarounds": [
{
"lang": "en",
"value": "To reduce exposure, restrict network access to the Pydantic AI web interface. If the application is deployed on a remote server, configure firewall rules to limit access to trusted networks or localhost. This prevents untrusted clients from reaching the vulnerable component. After applying firewall changes, ensure the rules are persistent and the firewall service is reloaded."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "pydantic-ai",
"vendor": "pydantic",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.34.0, \u003c 1.51.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 1.34.0 to before 1.51.0, a path traversal vulnerability in the Pydantic AI web UI allows an attacker to serve arbitrary JavaScript in the context of the application by crafting a malicious URL. In affected versions, the CDN URL is constructed using a version query parameter from the request URL. This parameter is not validated, allowing path traversal sequences that cause the server to fetch and serve attacker-controlled HTML/JavaScript from an arbitrary source on the same CDN, instead of the legitimate chat UI package. If a victim clicks the link or visits it via an iframe, attacker-controlled code executes in their browser, enabling theft of chat history and other client-side data. This vulnerability only affects applications that use Agent.to_web to serve a chat interface and clai web to serve a chat interface from the CLI. These are typically run locally (on localhost), but may also be deployed on a remote server. This vulnerability is fixed in 1.51.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T20:01:53.892Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-wjp5-868j-wqv7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-wjp5-868j-wqv7"
},
{
"name": "https://github.com/pydantic/pydantic-ai/releases/tag/v1.51.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pydantic/pydantic-ai/releases/tag/v1.51.0"
}
],
"source": {
"advisory": "GHSA-wjp5-868j-wqv7",
"discovery": "UNKNOWN"
},
"title": "Pydantic AI affected by Stored XSS via Path Traversal in Web UI CDN URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25640",
"datePublished": "2026-02-06T20:01:53.892Z",
"dateReserved": "2026-02-04T05:15:41.791Z",
"dateUpdated": "2026-06-30T12:06:32.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}