CVE-2026-6604

Name of the Vulnerable Software and Affected Versions modelscope agentscope versions prior to 1.0.19

Description An issue exists in the Cloud Metadata Endpoint component within the file src/agentscope/tool/ multi modality/ openai tools.py. Specifically, the functions parse url(), prepare image(), and openai audio to text() do not properly handle the image url and audio file url arguments. This allows a remote attacker to perform server-side request forgery, which is a technique where an attacker induces a server-side application to make requests to an unintended location.

Recommendations Update to a version newer than 1.0.18. As a temporary workaround, restrict access to the functions parse url(), prepare image(), and openai audio to text() or avoid using the image url and audio file url arguments until a patch is applied.