{"api_version":"1","generated_at":"2026-07-12T20:39:38+00:00","cve":"CVE-2026-25580","urls":{"html":"https://cve.report/CVE-2026-25580","api":"https://cve.report/api/cve/CVE-2026-25580.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-25580","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-25580"},"summary":{"title":"Pydantic AI Affected by Server-Side Request Forgery (SSRF) in URL Download Handling","description":"Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-02-06 21:16:17","updated_at":"2026-06-30 03:17:42"},"problem_types":["CWE-918","CWE-918 CWE-918: Server-Side Request Forgery (SSRF)","CWE-918 Server-Side Request Forgery (SSRF)"],"metrics":[{"version":"3.1","source":"ADP","type":"CVSS","score":"8.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.6,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","version":"3.1"}},{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"8.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"8.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.6,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-25580","name":"https://access.redhat.com/security/cve/CVE-2026-25580","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25580.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25580.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3","name":"https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3","refsource":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301","name":"https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301","refsource":"security-advisories@github.com","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2437781","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2437781","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-25580","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25580","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"pydantic","product":"pydantic-ai","version":"affected >= 0.0.26, < 1.56.0","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","version":"","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-02-09T11:05:31.886Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-02-06T21:01:38.035Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[{"source":"ADP","title":"","value":"To mitigate, configure applications using Pydantic AI to avoid accepting message history from untrusted external sources. Implement robust input validation and sanitization for all URLs processed by the application. Additionally, restrict network access for the Pydantic AI application to only essential internal and external resources, thereby limiting the potential impact of SSRF attacks.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"25580","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pydantic","cpe5":"pydantic_ai","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"python","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"25580","cve":"CVE-2026-25580","epss":"0.005790000","percentile":"0.433750000","score_date":"2026-07-01","updated_at":"2026-07-02 00:05:26"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-25580","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-02-09T15:21:59.190923Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-02-09T15:27:37.772Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"}],"datePublic":"2026-02-06T21:01:38.035Z","descriptions":[{"lang":"en","value":"A flaw was found in Pydantic AI. This Server-Side Request Forgery (SSRF) vulnerability allows a remote attacker to include malicious URLs within untrusted message history. When processed by the application, these URLs can force the server to make unauthorized HTTP requests to internal network resources. This could lead to the disclosure of sensitive internal information or access to cloud credentials."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.6,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-918","description":"Server-Side Request Forgery (SSRF)","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-30T02:42:27.039Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-25580"},{"name":"RHBZ#2437781","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2437781"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25580.json"}],"timeline":[{"lang":"en","time":"2026-02-09T11:05:31.886Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-06T21:01:38.035Z","value":"Made public."}],"title":"Pydantic AI: Pydantic AI: Information disclosure via Server-Side Request Forgery (SSRF) through malicious URLs in message history.","workarounds":[{"lang":"en","value":"To mitigate, configure applications using Pydantic AI to avoid accepting message history from untrusted external sources. Implement robust input validation and sanitization for all URLs processed by the application. Additionally, restrict network access for the Pydantic AI application to only essential internal and external resources, thereby limiting the potential impact of SSRF attacks."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"product":"pydantic-ai","vendor":"pydantic","versions":[{"status":"affected","version":">= 0.0.26, < 1.56.0"}]}],"descriptions":[{"lang":"en","value":"Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.6,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-918","description":"CWE-918: Server-Side Request Forgery (SSRF)","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-02-06T21:01:38.035Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3","tags":["x_refsource_CONFIRM"],"url":"https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3"},{"name":"https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301","tags":["x_refsource_MISC"],"url":"https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301"}],"source":{"advisory":"GHSA-2jrp-274c-jhv3","discovery":"UNKNOWN"},"title":"Pydantic AI Affected by Server-Side Request Forgery (SSRF) in URL Download Handling"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-25580","datePublished":"2026-02-06T21:01:38.035Z","dateReserved":"2026-02-03T01:02:46.715Z","dateUpdated":"2026-06-30T02:42:27.039Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-02-06 21:16:17","lastModifiedDate":"2026-06-30 03:17:42","problem_types":["CWE-918","CWE-918 CWE-918: Server-Side Request Forgery (SSRF)","CWE-918 Server-Side Request Forgery (SSRF)"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-02-09T15:21:59.190923Z","id":"CVE-2026-25580","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:pydantic:pydantic_ai:*:*:*:*:*:python:*:*","versionStartIncluding":"0.0.26","versionEndExcluding":"1.56.0","matchCriteriaId":"AED125A7-1F54-4ACF-A702-6D4C09ABDE13"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"25580","Ordinal":"1","Title":"Pydantic AI Affected by Server-Side Request Forgery (SSRF) in UR","CVE":"CVE-2026-25580","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"25580","Ordinal":"1","NoteData":"Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0.","Type":"Description","Title":"Pydantic AI Affected by Server-Side Request Forgery (SSRF) in UR"}]}}}