CVE-2026-46678 is a medium-severity server-side request forgery (SSRF) vulnerability in pydantic-ai (pip), affecting versions >= 1.56.0, < 1.99.0. It is fixed in 1.99.0.
Summary When an application using Pydantic AI opts a URL into forcedownload='allow-local' (which disables the default block on private/internal IPs), the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form (IPv4-mapped IPv6, 6to4, or NAT64). Dual-stack and translated networks route the IPv6 wrapper to the underlying IPv4 endpoint, exposing cloud IAM short-term credentials. This is an incomplete fix of GHSA-2jrp-274c-jhv3 / CVE-2026-25580. The parent advisory's remediation guaranteed that "cloud metadata endpoints are always blocked, even with allow-local." That guarantee did not hold for IPv6-encoded forms of the metadata IPs. Severity Same impact metrics as the parent CVE, but materially narrower attack surface (AC:H instead of AC:L), because exploitation requires the application to have opted into allow-local on a URL influenced by untrusted input. Who Is Affected Applications are affected only if they explicitly opt for FileUrl (ImageUrl, AudioUrl, VideoUrl, DocumentUrl) into forcedownload='allow-local' on a URL that is, or could be, influenced by untrusted input. Applications are not affected if they use any of the bundled integrations to ingest user input, because they do not propagate forcedownload from external data: Agent.toweb / clai web VercelAIAdapter AGUIAdapter / Agent.toagui Applications that only download from developer-controlled URLs are not affected. Remediation Upgrade to 1.99.0 or later. The cloud-metadata and private-IP blocklists now apply to IPv6 transition forms that route to a blocked IPv4 endpoint (IPv4-mapped IPv6, 6to4, and NAT64 well-known prefix). The blocklists have also been extended to cover additional IANA-reserved IPv4 and IPv6 special-purpose ranges. Workaround for Unpatched Versions Avoid passing force_download='allow-local' on any URL that could be influenced by untrusted input. If developers must, resolve the hostname themselves and validate the result against their own metadata blocklist, including IPv6-encoded forms, before constructing the FileUrl. Credits Reported by j0hndo.
Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.
CVE-2026-46678 has a CVSS score of 6.8 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.99.0). Upgrading removes the vulnerable code path.
pip
pydantic-ai (>= 1.56.0, < 1.99.0)pydantic-ai-slim (>= 1.56.0, < 1.99.0)pydantic-ai → 1.99.0 (pip)pydantic-ai-slim → 1.99.0 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-46678 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-46678 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-46678 in your environment →Upgrade the following packages to resolve this vulnerability:
pydantic-ai to 1.99.0 or laterpydantic-ai-slim to 1.99.0 or laterKodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-46678 is a medium-severity server-side request forgery (SSRF) vulnerability in pydantic-ai (pip), affecting versions >= 1.56.0, < 1.99.0. It is fixed in 1.99.0. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
CVE-2026-46678 has a CVSS score of 6.8 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
pydantic-ai (pip) (versions >= 1.56.0, < 1.99.0)pydantic-ai-slim (pip) (versions >= 1.56.0, < 1.99.0)Yes. CVE-2026-46678 is fixed in 1.99.0. Upgrade to this version or later.
Whether CVE-2026-46678 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
pydantic-ai to 1.99.0 or laterpydantic-ai-slim to 1.99.0 or later