CVE-2026-25580

Name of the Vulnerable Software and Affected Versions Pydantic AI versions 0.0.26 through 1.55.9

Description A Server-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users, such as those using Agent.to web, clai web, VercelAIAdapter, AGUIAdapter, or Agent.to ag ui, or custom APIs that accept message history from user input. The download item() helper function downloads content from URLs without validating that the target is a public internet address. Attackers can potentially access internal services, steal cloud credentials, or scan internal networks. Multiple model integrations download URL content in certain conditions, including OpenAIChatModel, AnthropicModel, GoogleModel, XaiModel, BedrockConverseModel, and OpenRouterModel.

Recommendations Upgrade to version 1.56.0 or later. If a project cannot upgrade immediately, use a history processor to filter out URLs targeting local/private addresses.