CVE-2026-46678: Pydantic AI: SSRF cloud-metadata blocklist bypass via IPv4-mapped IPv6 (Incomplete fix of CVE-2026-25580)

May 21, 2026

When an application using Pydantic AI opts a URL into force_download='allow-local' (which disables the default block on private/internal IPs), the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form (IPv4-mapped IPv6, 6to4, or NAT64). Dual-stack and translated networks route the IPv6 wrapper to the underlying IPv4 endpoint, exposing cloud IAM short-term credentials.

References

github.com/advisories/GHSA-cqp8-fcvh-x7r3
github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3
github.com/pydantic/pydantic-ai/security/advisories/GHSA-cqp8-fcvh-x7r3
nvd.nist.gov/vuln/detail/CVE-2026-46678

Code Behaviors & Features

Detect and mitigate CVE-2026-46678 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →