Cyber Resilience

CVE-2026-6604

Medium

Published: 20 April 2026

Published
20 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0028 20.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-6604 is a medium-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-6604 is a server-side request forgery (SSRF) vulnerability affecting modelscope agentscope versions up to 1.0.18. The issue resides in the Cloud Metadata Endpoint component, specifically within the functions _parse_url, prepare_image, and openai_audio_to_text in the file src/agentscope/tool/_multi_modality/_openai_tools.py. By manipulating the image_url or audio_file_url arguments, an attacker can induce the server to make unintended requests.

The vulnerability has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is remotely exploitable by unauthenticated attackers over the network with low complexity and no user interaction required. Successful exploitation enables limited confidentiality, integrity, and availability impacts through SSRF, potentially allowing access to internal resources or services depending on the server's network configuration.

Advisories from VulDB indicate that the vendor was contacted early about the disclosure but did not respond, and no patches or mitigations are mentioned. An exploit is publicly available via a GitHub Gist, increasing the risk of active use.

This vulnerability affects an AI/ML-related framework involving multi-modality tools and OpenAI integrations, with the public exploit potentially enabling real-world attacks on deployments using affected agentscope versions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was identified in modelscope agentscope up to 1.0.18. Affected by this issue is the function _parse_url/prepare_image/openai_audio_to_text of the file src/agentscope/tool/_multi_modality/_openai_tools.py of the component Cloud Metadata Endpoint. Such manipulation of the argument image_url/audio_file_url leads to server-side request forgery. The…

more

attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF vulnerability in public-facing application directly enables exploitation via T1190; manipulation of URLs to cloud metadata endpoint facilitates T1522 for accessing instance metadata.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30832Shared CWE-918
CVE-2026-28467Shared CWE-918
CVE-2026-25545Shared CWE-918
CVE-2026-34367Shared CWE-918
CVE-2026-27829Shared CWE-918
CVE-2025-8085Shared CWE-918
CVE-2026-41905Shared CWE-918
CVE-2026-33752Shared CWE-918
CVE-2026-33626Shared CWE-918
CVE-2026-0807Shared CWE-918

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates manipulated image_url and audio_file_url inputs to prevent SSRF by ensuring only authorized external endpoints are accessed.

preventdetect

Monitors and controls server-initiated outbound communications at boundaries to block SSRF attempts from reaching internal or unauthorized resources.

prevent

Mandates timely remediation of the SSRF flaw in agentscope through patching, upgrades, or compensatory controls given the public exploit and lack of vendor response.

References