CVE-2026-6604
Server-Side Request Forgery in Modelscope Agentscope Cloud Endpoint
Publication date: 2026-04-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| modelscope | agentscope | to 1.0.18 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in modelscope agentscope up to version 1.0.18, specifically in the function _parse_url/prepare_image/openai_audio_to_text within the file src/agentscope/tool/_multi_modality/_openai_tools.py of the Cloud Metadata Endpoint component.
The issue arises from improper handling or manipulation of the argument image_url or audio_file_url, which can lead to server-side request forgery (SSRF). This means an attacker can make the server perform unauthorized requests to internal or external resources.
The attack can be performed remotely, and an exploit is publicly available. The vendor was contacted but did not respond.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform server-side request forgery, which may enable them to access internal systems or resources that are not normally accessible from outside the network.
Such unauthorized requests could lead to information disclosure, unauthorized actions on behalf of the server, or further exploitation of internal services.
Because the attack can be performed remotely and the exploit is publicly available, the risk of exploitation is significant if the affected software is in use.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-6604 is a blind Server-Side Request Forgery (SSRF) vulnerability that allows attackers to induce the server to make HTTP requests to internal or cloud metadata endpoints without direct data exfiltration.
Although the vulnerability does not allow direct exfiltration of sensitive data such as cloud IAM credentials or local file contents, it enables internal network reconnaissance and potential side effects on internal services.
From a compliance perspective, this vulnerability could pose risks to standards like GDPR or HIPAA if attackers leverage it to map internal networks or trigger side effects that might lead to indirect exposure or disruption of protected data environments.
However, since no direct data leakage occurs and response content is not returned to the attacker, the immediate impact on data confidentiality required by these regulations is limited.
Organizations should consider this vulnerability as a potential vector for internal reconnaissance and denial of service, which could indirectly affect compliance by undermining system integrity and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-6604 involves monitoring for unusual outbound HTTP requests initiated by the AgentScope application, especially those targeting internal or cloud metadata endpoints such as http://169.254.169.254/latest/meta-data/iam/security-credentials/role.
Since the vulnerability is a blind SSRF triggered by unvalidated URLs passed to requests.get(), network detection can focus on identifying unexpected HTTP GET requests from the AgentScope server to internal IP ranges or cloud metadata services.
Suggested commands to detect potential exploitation attempts include:
- Using tcpdump or tshark to capture outbound HTTP requests from the AgentScope host: tcpdump -i <interface> -nn host <AgentScope_IP> and port 80 or 443
- Using curl or wget to test if the application performs HTTP GET requests on crafted URLs by triggering the vulnerable functions with controlled inputs (if possible in a test environment).
- Checking application logs for any unusual errors or timeouts related to HTTP requests to internal or cloud metadata IPs.
- Using network monitoring tools or IDS/IPS to alert on outbound requests to sensitive internal IP ranges or cloud metadata endpoints.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2026-6604 include:
- Restrict outbound HTTP requests from the AgentScope server to only trusted external endpoints, blocking access to internal IP ranges and cloud metadata IPs (e.g., 169.254.169.254).
- Implement network-level controls such as firewall rules or proxy filtering to prevent the server from making unauthorized HTTP requests to internal or sensitive endpoints.
- If possible, update or patch the AgentScope package to a version that addresses this vulnerability once available.
- As a temporary workaround, disable or restrict the use of the vulnerable multimodal tool functions (_parse_url, prepare_image, openai_audio_to_text) that perform unvalidated requests.
- Monitor logs and network traffic for signs of exploitation attempts and respond accordingly.