Cyber Posture

CVE-2026-25640

High

Published: 06 February 2026

Published
06 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
EPSS Score 0.0002 3.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25640 is a high-severity Path Traversal (CWE-22) vulnerability in Pydantic Pydantic Ai. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Machine Learning Libraries.

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 2 other techniques.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation
addresses: CWE-22 CWE-79

Validates pathnames and filenames to prevent traversal outside intended directories.

CA-8 Penetration Testing
addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

SI-15 Information Output Filtering
addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
attack.mitre.org →
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
attack.mitre.org →
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
attack.mitre.org →
Why these techniques?

Path traversal enables attacker-controlled JS delivery via crafted URL in the web UI, directly facilitating drive-by compromise through malicious links or spearphishing that executes in the browser context upon user interaction.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 1.34.0 to before 1.51.0, a path traversal vulnerability in the Pydantic AI web UI allows an attacker to serve arbitrary JavaScript in the context…

more

of the application by crafting a malicious URL. In affected versions, the CDN URL is constructed using a version query parameter from the request URL. This parameter is not validated, allowing path traversal sequences that cause the server to fetch and serve attacker-controlled HTML/JavaScript from an arbitrary source on the same CDN, instead of the legitimate chat UI package. If a victim clicks the link or visits it via an iframe, attacker-controlled code executes in their browser, enabling theft of chat history and other client-side data. This vulnerability only affects applications that use Agent.to_web to serve a chat interface and clai web to serve a chat interface from the CLI. These are typically run locally (on localhost), but may also be deployed on a remote server. This vulnerability is fixed in 1.51.0.

Deeper analysisAI

CVE-2026-25640 is a path traversal vulnerability (CWE-22) combined with cross-site scripting (CWE-79) in the Pydantic AI Python agent framework, which is used for building applications and workflows with Generative AI. The issue affects versions from 1.34.0 up to but not including 1.51.0, specifically in the web UI served via the Agent.to_web method or the clai web CLI command. In vulnerable versions, the CDN URL for the chat UI package is constructed using an unvalidated version query parameter from the request URL, enabling attackers to manipulate the server into fetching and serving arbitrary HTML/JavaScript from an attacker-controlled location on the same CDN.

An unauthenticated remote attacker (AV:N/PR:N) can exploit this by crafting a malicious URL with path traversal sequences in the version parameter. If a victim user interacts with the link—such as by clicking it or loading it in an iframe—the attacker-controlled JavaScript executes in the victim's browser context (UI:R). This allows theft of sensitive client-side data, including chat history. The vulnerability requires no privileges and has a CVSS v3.1 base score of 7.1 (C:H/I:L/A:N/S:U), primarily impacting applications deployed locally on localhost or remotely via these specific web interfaces.

The vulnerability is fixed in Pydantic AI version 1.51.0, as detailed in the project's release notes and security advisory. Security practitioners should upgrade affected deployments immediately to mitigate the risk, ensuring validation of the version parameter to prevent unauthorized CDN fetches.

As a framework for Generative AI agents, this flaw highlights risks in AI application web UIs, particularly those relying on untrusted CDN resources, though no real-world exploitation has been reported as of the CVE publication on 2026-02-06.

Details

CWE(s)
CWE-22CWE-79

Affected Products

pydantic
pydantic ai
1.34.0 — 1.51.0

AI Security AnalysisAI

AI Category
Machine Learning Libraries
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, generative ai, ai

CVEs Like This One

CVE-2026-25580Same product: Pydantic Pydantic Ai
CVE-2025-23652Shared CWE-79
CVE-2026-34375Shared CWE-79
CVE-2025-23610Shared CWE-79
CVE-2025-67964Shared CWE-79
CVE-2026-28100Shared CWE-79
CVE-2026-1866Shared CWE-79
CVE-2026-28113Shared CWE-79
CVE-2026-27353Shared CWE-79
CVE-2025-22631Shared CWE-79

References