Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-48782— pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678)

CVSS 6.8 · Medium EPSS 0.33% · P25

Affected Version Matrix 4

VendorProductVersion RangeStatus
pydanticpydantic-ai>= 1.56.0, < 1.102.0affected
>= 2.0.0b1, < 2.0.0b3affected
pydanticpydantic-ai-slim>= 2.0.0b1, < 2.0.0b3affected
>= 1.56.0, < 1.102.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-48782

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678)
Source: NVD (National Vulnerability Database)
Vulnerability Description
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous fix, CVE-2026-46678, did not decode, exposing cloud IAM short-term credentials. The previous remediation decoded only IPv4-mapped IPv6, 6to4, and the NAT64 well-known prefix, so the metadata guarantee did not hold for the remaining transition forms: IPv4-compatible IPv6 (::a.b.c.d), the NAT64 RFC 8215 local-use prefix (64:ff9b:1::/48), operator-chosen NAT64 prefixes, and ISATAP. The IPv6 wrapper is then delivered to the underlying IPv4 metadata endpoint. This occurs when an application using Pydantic AI opts a URL into force_download='allow-local' (which disables the default block on private/internal IPs) and runs on a network that actually routes the affected IPv6 transition forms: NAT64-configured networks (IPv6-only or dual-stack-with-NAT64 deployments, including some Kubernetes setups) for the NAT64 variants, or networks with an ISATAP tunnel for ISATAP. A standard dual-stack cloud VM or container does not route these forms and is not affected in practice. The IPv4-compatible and Teredo variants are deprecated and addressed as defense-in-depth. This is an incomplete fix of GHSA-cqp8-fcvh-x7r3 / CVE-2026-46678 (itself a follow-up to CVE-2026-25580). This issue has been fixed in version 2.0.0b3.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
pydantic-ai 服务端请求伪造漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Pydantic pydantic-ai是Pydantic组织开源的一个用于构建生产级应用程序和工作流的生成式AI框架。 pydantic-ai存在服务端请求伪造漏洞,该漏洞源于云元数据阻止列表绕过问题,通过使用IPv6过渡形式对元数据IP进行编码暴露了云IAM短期凭据,可能导致攻击者从IPv4元数据端点获取信息。以下版本受到影响:1.56.0版本至1.101.0版本、2.0.0b1版本和2.0.0b2版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
pydanticpydantic-ai >= 1.56.0, < 1.102.0 -
pydanticpydantic-ai-slim >= 2.0.0b1, < 2.0.0b3 -

II. Public POCs for CVE-2026-48782

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-48782

登录查看更多情报信息。

Patches & Fixes for CVE-2026-48782 (2)

Vendor Advisories for CVE-2026-48782 (1)

Vendor Pages for CVE-2026-48782 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-48782

No comments yet


Leave a comment