Server-Side Request Forgery in Pydantic AI Framework by Pydantic
CVE-2026-25580
8.6HIGH
What is CVE-2026-25580?
The Pydantic AI framework, designed for creating applications with Generative AI, has a Server-Side Request Forgery (SSRF) vulnerability affecting versions from 0.0.26 to prior to 1.56.0. This security flaw allows attackers to exploit the URL download feature by sending malicious URLs when applications handle message history from untrusted sources. If successfully executed, the server can inadvertently make HTTP requests to sensitive internal resources, which may expose crucial internal services and cloud credentials. It is essential for developers to ensure they upgrade to version 1.56.0 or later to safeguard their applications against this vulnerability.
Affected Version(s)
pydantic-ai >= 0.0.26, < 1.56.0
