CVE-2026-48782
Received Received - Intake
IPv6 Transition Bypass in Pydantic AI Cloud Metadata

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous fix, CVE-2026-46678, did not decode, exposing cloud IAM short-term credentials. The previous remediation decoded only IPv4-mapped IPv6, 6to4, and the NAT64 well-known prefix, so the metadata guarantee did not hold for the remaining transition forms: IPv4-compatible IPv6 (::a.b.c.d), the NAT64 RFC 8215 local-use prefix (64:ff9b:1::/48), operator-chosen NAT64 prefixes, and ISATAP. The IPv6 wrapper is then delivered to the underlying IPv4 metadata endpoint. This occurs when an application using Pydantic AI opts a URL into force_download='allow-local' (which disables the default block on private/internal IPs) and runs on a network that actually routes the affected IPv6 transition forms: NAT64-configured networks (IPv6-only or dual-stack-with-NAT64 deployments, including some Kubernetes setups) for the NAT64 variants, or networks with an ISATAP tunnel for ISATAP. A standard dual-stack cloud VM or container does not route these forms and is not affected in practice. The IPv4-compatible and Teredo variants are deprecated and addressed as defense-in-depth. This is an incomplete fix of GHSA-cqp8-fcvh-x7r3 / CVE-2026-46678 (itself a follow-up to CVE-2026-25580). This issue has been fixed in version 2.0.0b3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-48782
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
pydantic pydantic-ai From 1.56.0 (inc) to 1.101.0 (inc)
pydantic pydantic-ai From 2.0.0b1 (inc) to 2.0.0b2 (inc)
pydantic pydantic-ai 1.102.0
pydantic pydantic-ai 2.0.0b3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48782 is a Server-Side Request Forgery (SSRF) vulnerability in the Pydantic AI Python agent framework. It allows attackers to bypass the cloud-metadata blocklist by encoding cloud metadata IP addresses using certain IPv6 transition forms that were not properly decoded by previous fixes. This bypass occurs when an application using Pydantic AI opts into the `force_download='allow-local'` option on URLs influenced by untrusted input, and the network routes specific IPv6 transition forms such as NAT64 or ISATAP. As a result, attackers can access cloud IAM short-term credentials by disguising blocked IPv4 endpoints within IPv6 wrappers.

The vulnerability affects versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2 of pydantic-ai. It was fixed in version 1.102.0 and 2.0.0b3 by improving URL validation to decode all standardized IPv6 transition forms before checking against blocklists.

Impact Analysis

This vulnerability can expose cloud IAM short-term credentials by allowing attackers to bypass protections that block access to cloud metadata endpoints. If exploited, an attacker could retrieve sensitive metadata from cloud environments, potentially leading to unauthorized access or privilege escalation.

However, exploitation requires specific conditions: the application must enable `force_download='allow-local'` on URLs influenced by untrusted input, and the deployment network must route IPv6 transition forms like NAT64 or ISATAP. Standard dual-stack cloud environments are generally not affected.

Users relying on bundled integrations such as Agent.to_web, clai web, VercelAIAdapter, or AGUIAdapter are not impacted by this vulnerability.

Detection Guidance

This vulnerability involves bypassing cloud-metadata blocklists via IPv6 transition forms when using Pydantic AI with the option force_download='allow-local' on untrusted URLs in networks routing NAT64 or ISATAP IPv6 transition forms.

Detection involves verifying if your application uses Pydantic AI versions between 1.56.0 and 1.101.0 or 2.0.0b1 and 2.0.0b2, and if it enables force_download='allow-local' on URLs influenced by untrusted input.

On the network side, detection requires checking if your environment routes IPv6 transition forms such as NAT64 or ISATAP tunnels, which are uncommon in standard dual-stack setups but may appear in IPv6-only or dual-stack-with-NAT64 Kubernetes deployments.

While no specific commands are provided in the resources, you can detect routing of NAT64 prefixes by checking for the presence of the NAT64 well-known prefix (64:ff9b::/96) or operator-chosen NAT64 prefixes in your network configuration. For example, on Linux systems, you can use commands like:

  • ip -6 route show | grep nat64
  • ip -6 addr show
  • ping6 64:ff9b::a00:2 (to test NAT64 reachability)

Additionally, inspecting application logs or network traffic for requests to cloud metadata IPs encoded in IPv6 transition forms may help detect exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade Pydantic AI to version 1.102.0 or later, or 2.0.0b3 or later, where the issue has been fixed by properly decoding all IPv6 transition forms before evaluating URLs.

If upgrading is not immediately possible, avoid using the option force_download='allow-local' on URLs that come from untrusted sources, as this disables the default block on private/internal IPs and enables the bypass.

As a workaround, manually validate hostnames or IP addresses against a metadata blocklist before allowing downloads or requests, ensuring that IPv6 transition forms are properly decoded to their underlying IPv4 addresses.

Review your network environment to understand if it routes NAT64 or ISATAP IPv6 transition forms, and consider network-level controls to restrict access to cloud metadata endpoints.

Compliance Impact

The vulnerability in Pydantic AI allows bypassing cloud-metadata blocklists, potentially exposing cloud IAM short-term credentials. This exposure of sensitive credentials could lead to unauthorized access to cloud resources, which may impact compliance with standards and regulations that require protection of sensitive data and access controls, such as GDPR and HIPAA.

However, the exploit requires specific network configurations (NAT64 or ISATAP) and application settings (enabling force_download='allow-local' on untrusted URLs), limiting the attack surface. Organizations using affected versions should apply the patch to prevent potential credential exposure and maintain compliance with security requirements in these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48782. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart