This SSRF vulnerability arises because pydantic-ai's cloud-metadata blocklist can be bypassed via IPv6 transition address forms that were not decoded by the prior fix (CVE-2026-46678). Specifically, IPv4-compatible IPv6 (::a.b.c.d), NAT64 RFC 8215 local-use prefix (64:ff9b:1::/48), operator-chosen NAT64 prefixes, and ISATAP forms can be used to route requests to the underlying IPv4 metadata endpoint, exposing cloud IAM credentials. The vulnerability manifests when force_download='allow-local' is enabled, disabling the default block on private/internal IPs, and the network routes these IPv6 transition forms (e.g., NAT64-configured or ISATAP networks). Standard dual-stack cloud VMs or containers not routing these forms are not affected in practice. Deprecated IPv6 variants like IPv4-compatible and Teredo are addressed as defense-in-depth. This vulnerability is an incomplete fix of CVE-2026-46678 and has been resolved in pydantic-ai version 2.0.0b3.

Successful exploitation can lead to exposure of cloud IAM short-term credentials by bypassing the cloud-metadata blocklist, potentially allowing unauthorized access to cloud resources. The impact is limited to environments where the application uses force_download='allow-local' and runs on networks routing affected IPv6 transition forms. There is no indication of integrity or availability impact. The CVSS v3.1 score is 6.8 (medium severity), reflecting network attack vector, high complexity, no privileges required, no user interaction, and high confidentiality impact.

A fix is available in pydantic-ai version 2.0.0b3. Users should upgrade to this version or later to remediate the vulnerability. Until then, avoid enabling force_download='allow-local' on networks that route affected IPv6 transition forms. Patch status is not explicitly stated in the vendor advisory beyond the fix in 2.0.0b3, so verify with the vendor for the latest remediation guidance.