CVE-2026-6604
Published: 20 April 2026
Summary
CVE-2026-6604 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates manipulated image_url and audio_file_url inputs to prevent SSRF by ensuring only authorized external endpoints are accessed.
Monitors and controls server-initiated outbound communications at boundaries to block SSRF attempts from reaching internal or unauthorized resources.
Mandates timely remediation of the SSRF flaw in agentscope through patching, upgrades, or compensatory controls given the public exploit and lack of vendor response.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability in public-facing application directly enables exploitation via T1190; manipulation of URLs to cloud metadata endpoint facilitates T1522 for accessing instance metadata.
NVD Description
A vulnerability was identified in modelscope agentscope up to 1.0.18. Affected by this issue is the function _parse_url/prepare_image/openai_audio_to_text of the file src/agentscope/tool/_multi_modality/_openai_tools.py of the component Cloud Metadata Endpoint. Such manipulation of the argument image_url/audio_file_url leads to server-side request forgery. The…
more
attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-6604 is a server-side request forgery (SSRF) vulnerability affecting modelscope agentscope versions up to 1.0.18. The issue resides in the Cloud Metadata Endpoint component, specifically within the functions _parse_url, prepare_image, and openai_audio_to_text in the file src/agentscope/tool/_multi_modality/_openai_tools.py. By manipulating the image_url or audio_file_url arguments, an attacker can induce the server to make unintended requests.
The vulnerability has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is remotely exploitable by unauthenticated attackers over the network with low complexity and no user interaction required. Successful exploitation enables limited confidentiality, integrity, and availability impacts through SSRF, potentially allowing access to internal resources or services depending on the server's network configuration.
Advisories from VulDB indicate that the vendor was contacted early about the disclosure but did not respond, and no patches or mitigations are mentioned. An exploit is publicly available via a GitHub Gist, increasing the risk of active use.
This vulnerability affects an AI/ML-related framework involving multi-modality tools and OpenAI integrations, with the public exploit potentially enabling real-world attacks on deployments using affected agentscope versions.
Details
- CWE(s)