Cyber Resilience

CVE-2026-25580

HighPublic PoCUpdated

Published: 06 February 2026

Published
06 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0046 36.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25580 is a high-severity SSRF (CWE-918) vulnerability in Pydantic Pydantic Ai. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25580 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting Pydantic AI, a Python agent framework for building applications and workflows with Generative AI. The issue resides in the framework's URL download functionality and impacts versions from 0.0.26 up to but not including 1.56.0. It has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low complexity, no privileges required, and high confidentiality impact in a scoped attack.

The vulnerability can be exploited by remote attackers who submit message history containing malicious URLs to applications built with vulnerable Pydantic AI versions that accept such history from untrusted or external users. Successful exploitation causes the server to issue HTTP requests to attacker-specified internal network resources, potentially allowing access to internal services or exposure of cloud credentials. Applications not accepting external message history remain unaffected.

Mitigation is available via upgrade to Pydantic AI version 1.56.0 or later, where the vulnerability is fixed. Official advisories detail the patch in GitHub commit d398bc9d39aecca6530fa7486a410d5cce936301 and security advisory GHSA-2jrp-274c-jhv3.

This flaw highlights SSRF risks in AI agent frameworks handling untrusted inputs for Generative AI workflows, with no reported real-world exploitation as of publication on 2026-02-06.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources,…

more

attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, generative ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF flaw in public-facing AI framework directly enables T1190 exploitation via malicious URL inputs; facilitates T1552.005 by allowing server-side requests to cloud metadata APIs for credential exposure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25640Same product: Pydantic Pydantic Ai
CVE-2026-2286Shared CWE-918
CVE-2026-42449Shared CWE-918
CVE-2026-45310Shared CWE-918
CVE-2026-39885Shared CWE-918
CVE-2026-33039Shared CWE-918
CVE-2026-33351Shared CWE-918
CVE-2026-40150Shared CWE-918
CVE-2024-7959Shared CWE-918
CVE-2026-39974Shared CWE-918

Affected Assets

pydantic
pydantic ai
0.0.26 — 1.56.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely remediation of the SSRF flaw in Pydantic AI through patching to version 1.56.0 or later.

prevent

Prevents SSRF exploitation by validating untrusted URLs in message history inputs before processing by the URL download functionality.

prevent

Enforces information flow policies to block server-initiated HTTP requests to internal network resources targeted by malicious URLs.

References