Bug 2489704 (CVE-2026-48782)
| Summary: | CVE-2026-48782 pydantic-ai: Pydantic AI: Information Disclosure via Cloud-Metadata Blocklist Bypass | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bbrownin |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Pydantic AI, where its cloud-metadata blocklist could be bypassed. This vulnerability allows an attacker to expose cloud IAM (Identity and Access Management) short-term credentials. The bypass occurs when an application using Pydantic AI is configured to allow local file downloads and operates on networks that route specific IPv6 (Internet Protocol version 6) transition forms, which were not properly decoded by a previous fix. This could lead to unauthorized access to cloud resources through information disclosure.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-06-17 00:01:29 UTC
|