CVE-2026-25580 is a high-severity server-side request forgery (SSRF) vulnerability in pydantic-ai (pip), affecting versions >= 0.0.26, < 1.56.0. It is fixed in 1.56.0.
Summary A Server-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users, such as those using: Agent.toweb or clai web to serve a chat interface VercelAIAdapter for Vercel AI SDK integration AGUIAdapter or Agent.toagui for AG-UI protocol integration Custom APIs that accept message history from user input Applications that only use hardcoded or developer-controlled URLs are not affected. Description The downloaditem() helper function downloads content from URLs without validating that the target is a public internet address. When user-supplied message history contains URLs, attackers can: Access internal services: Request http://127.0.0.1, localhost, or private IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x) Steal cloud credentials: Access cloud metadata endpoints (AWS IMDSv1 at 169.254.169.254, GCP, Azure, Alibaba Cloud) Scan internal networks: Enumerate internal hosts and ports Who Is Affected You are affected if your application: Uses Agent.toweb or clai web - The web interface accepts file attachments via the Vercel AI Data Stream Protocol, where users can provide arbitrary URLs through chat messages. Uses VercelAIAdapter - Chat interfaces built with Vercel AI SDK allow users to submit messages containing URLs that are processed server-side. Uses AGUIAdapter or Agent.toagui - The AG-UI protocol allows users to provide file references with URLs as part of agent interactions. Exposes a custom API accepting message history - Any endpoint that accepts message history or ImageUrl, AudioUrl, VideoUrl, DocumentUrl objects from user input. Attack Scenario Via chat interface, an attacker submits a message with a file attachment pointing to an internal resource: Affected Model Integrations Multiple model integrations download URL content in certain conditions: | Provider | Downloaded Types | |----------|------------------| | OpenAIChatModel | AudioUrl, DocumentUrl | | AnthropicModel | DocumentUrl (text/plain) | | GoogleModel (GLA) | All URL types (except YouTube and Files API URLs) | | XaiModel | DocumentUrl | | BedrockConverseModel | ImageUrl, DocumentUrl, VideoUrl (non-S3 URLs) | | OpenRouterModel | AudioUrl | Remediation Upgrade to Patched Version Upgrade to the patched version or later. The fix adds comprehensive SSRF protection: Blocks private/internal IP addresses by default Always blocks cloud metadata endpoints (even with allow-local) Only allows http:// and https:// protocols Resolves hostnames before requests to prevent DNS rebinding Validates each redirect target New forcedownload='allow-local' Option If an application legitimately needs to access local/private network resources (e.g., in a fully trusted internal environment), it can explicitly opt in: Important: Cloud metadata endpoints (169.254.169.254, fd00:ec2::254, 100.100.100.200) are always blocked, even with allow-local. Workaround for Older Versions If a project cannot upgrade immediately, use a history processor to filter out URLs targeting local/private addresses: Technical Details of the Fix The fix introduces a new _ssrf.py module with comprehensive protection: Protocol validation: Only http:// and https:// allowed DNS resolution before request: Prevents DNS rebinding attacks Private IP blocking (by default): 127.0.0.0/8, ::1/128 (loopback) 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (private) 169.254.0.0/16, fe80::/10 (link-local) 100.64.0.0/10 (CGNAT) fc00::/7 (unique local) 2002::/16 (6to4, can embed private IPv4) Cloud metadata always blocked: 169.254.169.254, fd00:ec2::254, 100.100.100.200 Safe redirect handling: Each redirect validated before following (max 10)
Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.
CVE-2026-25580 has a CVSS score of 8.6 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.56.0). Upgrading removes the vulnerable code path.
pip
pydantic-ai (>= 0.0.26, < 1.56.0)pydantic-ai-slim (>= 0.0.26, < 1.56.0)pydantic-ai → 1.56.0 (pip)pydantic-ai-slim → 1.56.0 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-25580 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-25580 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-25580 in your environment →Upgrade the following packages to resolve this vulnerability:
pydantic-ai to 1.56.0 or laterpydantic-ai-slim to 1.56.0 or laterKodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-25580 is a high-severity server-side request forgery (SSRF) vulnerability in pydantic-ai (pip), affecting versions >= 0.0.26, < 1.56.0. It is fixed in 1.56.0. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
CVE-2026-25580 has a CVSS score of 8.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
pydantic-ai (pip) (versions >= 0.0.26, < 1.56.0)pydantic-ai-slim (pip) (versions >= 0.0.26, < 1.56.0)Yes. CVE-2026-25580 is fixed in 1.56.0. Upgrade to this version or later.
Whether CVE-2026-25580 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
pydantic-ai to 1.56.0 or laterpydantic-ai-slim to 1.56.0 or later