CVE-2026-25904 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, found in the Pydantic-AI MCP Run Python tool. This tool configures the Deno sandbox environment with overly permissive network access, allowing Python code executed within the sandbox to make requests to the localhost interface of the host machine. SSRF vulnerabilities enable attackers to induce the server-side application to send crafted requests to internal or external systems that would otherwise be inaccessible, potentially exposing sensitive information or enabling further attacks. The vulnerability arises because the sandbox does not properly restrict network access, violating the principle of least privilege. The project is archived, meaning no patches or fixes are expected, leaving users exposed if they continue to use this tool. The CVSS v3.1 base score is 5.8, indicating a medium severity level. The vector indicates network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and low impact on confidentiality, integrity, and availability (C:L/I:L/A:L). Although no known exploits are reported in the wild, the vulnerability could be exploited by tricking a user into executing malicious Python code within the sandbox, which then performs SSRF attacks against internal services. This can lead to information disclosure or limited disruption of internal services. The vulnerability highlights the risks of misconfigured sandbox environments, especially when running untrusted or semi-trusted code.

For European organizations, the impact of CVE-2026-25904 depends largely on their use of the Pydantic-AI MCP Run Python tool or similar sandbox configurations. Organizations relying on this tool for Python code execution in isolated environments may be exposed to SSRF attacks that can access internal network services, potentially leading to unauthorized information disclosure or reconnaissance. This can facilitate lateral movement or further exploitation within the network. Although the impact on integrity and availability is rated low, the confidentiality breach could expose sensitive internal APIs or services. The archived status of the project means no official patches will be released, increasing the risk for organizations that continue to use it. European companies in sectors such as software development, cloud services, and research institutions that use Deno or Python sandboxing tools are particularly at risk. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments where users execute untrusted code. The medium severity rating suggests that while the threat is not critical, it warrants attention to prevent potential internal network compromises.

1. Discontinue use of the Pydantic-AI MCP Run Python tool immediately, especially in production or sensitive environments, since it is archived and will not receive patches. 2. If continued use is necessary, isolate the sandbox environment using strict network segmentation and firewall rules to prevent access to localhost or internal network interfaces. 3. Employ network-level controls such as egress filtering to block unauthorized outbound requests from sandboxed processes. 4. Review and harden sandbox configurations to enforce the principle of least privilege, explicitly denying network access unless absolutely required. 5. Use alternative, actively maintained sandboxing tools with robust security controls and regular updates. 6. Implement monitoring and alerting for unusual network requests originating from sandboxed environments to detect potential SSRF attempts. 7. Educate developers and users about the risks of executing untrusted code and require code review or validation before execution. 8. Conduct regular security assessments of sandbox configurations and network access controls to identify and remediate similar misconfigurations.