CVE-2026-25580
Published: 06 February 2026
Summary
CVE-2026-25580 is a high-severity SSRF (CWE-918) vulnerability in Pydantic Pydantic Ai. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely remediation of the SSRF flaw in Pydantic AI through patching to version 1.56.0 or later.
Prevents SSRF exploitation by validating untrusted URLs in message history inputs before processing by the URL download functionality.
Enforces information flow policies to block server-initiated HTTP requests to internal network resources targeted by malicious URLs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF flaw in public-facing AI framework directly enables T1190 exploitation via malicious URL inputs; facilitates T1552.005 by allowing server-side requests to cloud metadata APIs for credential exposure.
NVD Description
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources,…
more
attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0.
Deeper analysisAI
CVE-2026-25580 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting Pydantic AI, a Python agent framework for building applications and workflows with Generative AI. The issue resides in the framework's URL download functionality and impacts versions from 0.0.26 up to but not including 1.56.0. It has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low complexity, no privileges required, and high confidentiality impact in a scoped attack.
The vulnerability can be exploited by remote attackers who submit message history containing malicious URLs to applications built with vulnerable Pydantic AI versions that accept such history from untrusted or external users. Successful exploitation causes the server to issue HTTP requests to attacker-specified internal network resources, potentially allowing access to internal services or exposure of cloud credentials. Applications not accepting external message history remain unaffected.
Mitigation is available via upgrade to Pydantic AI version 1.56.0 or later, where the vulnerability is fixed. Official advisories detail the patch in GitHub commit d398bc9d39aecca6530fa7486a410d5cce936301 and security advisory GHSA-2jrp-274c-jhv3.
This flaw highlights SSRF risks in AI agent frameworks handling untrusted inputs for Generative AI workflows, with no reported real-world exploitation as of publication on 2026-02-06.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, generative ai, ai