snailsploit[$]
CVE Disclosure

CVE-2026-48782

pydantic-ai · Python

SSRF — cloud-metadata blocklist bypass via IPv6 transition forms (NAT64, ISATAP)

CVSS6.8
SeverityModerate
ClassCWE-918
Fixed in1.102.0 / 2.0.0b3

Summary

CVE-2026-48782 is a moderate-severity server-side request forgery (CWE-918) in pydantic-ai / pydantic-ai-slim. It is an incomplete remediation of a prior SSRF fix: when an application uses force_download='allow-local' on URLs influenced by untrusted input, an attacker can bypass the cloud-metadata blocklist by encoding metadata IP addresses in additional IPv6 transition forms the earlier patch did not cover.

The bypass vectors include IPv4-compatible IPv6 addresses, NAT64 variants, and ISATAP. The previous patch normalised only certain transition forms, leaving these reachable.

Impact

In environments with NAT64-configured networks or ISATAP tunnels, an attacker can reach the cloud metadata endpoint and expose cloud IAM short-term credentials. Scope is changed (S:C) — the request crosses a trust boundary into the cloud control plane. Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N.

Resolution

Upgrade to pydantic-ai 1.102.0 (or 2.0.0b3 on the 2.x beta line), which normalises the full set of IPv6 transition forms before applying the metadata blocklist. The reviewer's lesson: an IP allow/deny list must canonicalise every representation of an address — IPv4-mapped, IPv4-compatible, NAT64, ISATAP, and 6to4 — before comparison. A blocklist that enumerates encodings instead of canonicalising is incomplete by construction.

References

Vendor Advisory (GHSA)MITRENVD

Disclosure

Reported by Kai Aizen (SnailSploit). Status: Published. Coordinated with the pydantic maintainers; resolved in 1.102.0 and 2.0.0b3.

disclosure contextall cves →
all disclosures
CVE Ledger →
Published CVEs
advisories
GHSA disclosures →
Coordinated advisories
engage
Pen Testing →
same methodology, your stack
Author
Kai Aizen
Independent Adversarial · Research group. Published CVEs, 5 Linux kernel mainline patches, creator of AATMF / P.R.O.M.P.T / SEF, author of Adversarial Minds.
aboutservicesresearchgate
Quick facts
ID
CVE-2026-48782
Product
pydantic-ai (Python)
Severity
6.8 · Moderate
Class
CWE-918
Affected: pydantic-ai ≥1.56.0 <1.102.0 (and 2.0.0b1–b2) · Fixed: 1.102.0 / 2.0.0b3
References: GHSA-cg7w-rg45-pc59 · MITRE · NVD
Frequently asked

CVE-2026-48782 — questions & answers

What is CVE-2026-48782?

A moderate SSRF vulnerability (CWE-918) in pydantic-ai / pydantic-ai-slim. An incomplete fix of a prior SSRF: with force_download=allow-local on untrusted URLs, the cloud-metadata blocklist can be bypassed via IPv6 transition forms (IPv4-compatible, NAT64, ISATAP) the earlier patch did not normalise.

Am I affected by CVE-2026-48782?

You are affected if you run pydantic-ai >=1.56.0 <1.102.0 (or 2.0.0b1/b2) and use force_download=allow-local on untrusted URLs, especially with NAT64 networks or ISATAP tunnels.

How do I fix CVE-2026-48782?

Upgrade to pydantic-ai 1.102.0 or 2.0.0b3. As mitigation, avoid force_download=allow-local on untrusted URLs and restrict egress to cloud metadata endpoints at the network layer.

What is the impact of CVE-2026-48782?

An attacker can reach the cloud metadata endpoint and expose cloud IAM short-term credentials in NAT64 or ISATAP environments. CVSS 6.8 Moderate, scope changed.

Where can I find authoritative references?

The pydantic-ai GitHub Security Advisory GHSA-cg7w-rg45-pc59, the MITRE CVE record for CVE-2026-48782, and the NVD detail page once published.