CVE Catalog

CVE-2026-48782

MediumCVSS 6.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.33%

25th percentile - higher than 25% of all known CVEs

Summary

In versions 1.56.0 through 1.101.0 and 2.0.0b1 and 2.0.0b2 of the Pydantic AI framework, the cloud metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form, leading to the exposure of short-term IAM credentials in the cloud. The previous fix did not decode all IPv6 transition forms, resulting in a security vulnerability.

Risk Assessment

Organizations using vulnerable versions of Pydantic AI may be exposed to unauthorized access to their IAM credentials, potentially leading to serious security incidents and data loss.

Recommendation

It is recommended to upgrade to version 2.0.0b3, which fixes this vulnerability. Additionally, consider limiting the use of the force_download='allow-local' option in applications using Pydantic AI.

Original NVD description (English source)

Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous fix, CVE-2026-46678, did not decode, exposing cloud IAM short-term credentials. The previous remediation decoded only IPv4-mapped IPv6, 6to4, and the NAT64 well-known prefix, so the metadata guarantee did not hold for the remaining transition forms: IPv4-compatible IPv6 (::a.b.c.d), the NAT64 RFC 8215 local-use prefix (64:ff9b:1::/48), operator-chosen NAT64 prefixes, and ISATAP. The IPv6 wrapper is then delivered to the underlying IPv4 metadata endpoint. This occurs when an application using Pydantic AI opts a URL into force_download='allow-local' (which disables the default block on private/internal IPs) and runs on a network that actually routes the affected IPv6 transition forms: NAT64-configured networks (IPv6-only or dual-stack-with-NAT64 deployments, including some Kubernetes setups) for the NAT64 variants, or networks with an ISATAP tunnel for ISATAP. A standard dual-stack cloud VM or container does not route these forms and is not affected in practice. The IPv4-compatible and Teredo variants are deprecated and addressed as defense-in-depth. This is an incomplete fix of GHSA-cqp8-fcvh-x7r3 / CVE-2026-46678 (itself a follow-up to CVE-2026-25580). This issue has been fixed in version 2.0.0b3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS