CVE-2026-25580: Pydantic AI has Server-Side Request Forgery (SSRF) in URL Download Handling

February 6, 2026

A Server-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI’s URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials.

This vulnerability only affects applications that accept message history from external users, such as those using:

Agent.to_web or clai web to serve a chat interface
VercelAIAdapter for Vercel AI SDK integration
AGUIAdapter or Agent.to_ag_ui for AG-UI protocol integration
Custom APIs that accept message history from user input

Applications that only use hardcoded or developer-controlled URLs are not affected.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-25580 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →