Intel

AIKIDO-2026-241166

pydantic-ai is vulnerable to Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF)CVE-2026-54249 Published Jun 29, 2026

68

Medium Risk

This Affects:

PYTHONpydantic-ai
1.65.0 - 1.105.0
Fixed in 1.106.0
Are you affected? Scan for Free

TL;DR

The UI adapters in pydantic-ai/´pydantic-ai-slim´ reconstruct file parts from client-submitted message history and forward them to the model provider. While FileUrl parts are validated against a scheme allowlist, UploadedFile references that point to a provider file ID or cloud-storage URI such as s3:// or gs:// are forwarded without validation. Because the provider resolves these references using the server-side identity rather than the client's, untrusted input can make the server read files belonging to its own account or other tenants. The fix drops UploadedFile items from client-submitted messages unless the new preserve_file_data flag is explicitly enabled.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted client-submitted message history to an agent through a UI adapter.

Background info

pydantic-ai is vulnerable to Server-Side Request Forgery (SSRF) in versions 1.65.0 - 1.105.0.

How to fix this

Upgrade the pydantic-ai or ´pydantic-ai-slim´ library to the patch version.