Skip to main content
CVE Vulnerability Database

CVE-2026-6604: ModelScope AgentScope SSRF Vulnerability

CVE-2026-6604 is a server-side request forgery flaw in ModelScope AgentScope up to version 1.0.18 that allows remote attackers to manipulate cloud metadata endpoints. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-6604 Overview

A Server-Side Request Forgery (SSRF) vulnerability has been identified in ModelScope AgentScope up to version 1.0.18. This security flaw affects the _parse_url, prepare_image, and openai_audio_to_text functions within the file src/agentscope/tool/_multi_modality/_openai_tools.py, specifically in the Cloud Metadata Endpoint component. An attacker can manipulate the image_url or audio_file_url arguments to perform unauthorized server-side requests to internal or external resources.

Critical Impact

Remote attackers can exploit this SSRF vulnerability to access internal cloud metadata endpoints, potentially exposing sensitive credentials, infrastructure details, and enabling lateral movement within cloud environments.

Affected Products

  • ModelScope AgentScope versions up to and including 1.0.18
  • Cloud deployments utilizing AgentScope's multi-modality tools
  • Systems exposing OpenAI tool integration endpoints

Discovery Timeline

  • 2026-04-20 - CVE-2026-6604 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-6604

Vulnerability Analysis

This SSRF vulnerability (CWE-918) exists in the multimodal processing components of AgentScope, specifically where user-supplied URLs are processed without adequate validation. The affected functions—_parse_url, prepare_image, and openai_audio_to_text—accept URL parameters (image_url and audio_file_url) that are subsequently fetched by the server. Without proper URL scheme and destination filtering, attackers can coerce the application into making requests to arbitrary internal or external endpoints.

The vulnerability is particularly concerning in cloud-hosted deployments where access to metadata endpoints (such as AWS's 169.254.169.254, GCP's metadata server, or Azure's Instance Metadata Service) could expose sensitive credentials, API tokens, and infrastructure configuration. The exploit has been publicly disclosed, increasing the risk of active exploitation.

Root Cause

The root cause of this vulnerability is improper input validation in URL handling functions. The affected code paths fail to implement adequate controls to:

  1. Validate URL schemes (allowing file://, gopher://, or other dangerous protocols)
  2. Filter destination hosts (permitting requests to private IP ranges and cloud metadata endpoints)
  3. Implement allow-list based URL validation
  4. Sanitize or normalize URL inputs before processing

This allows attackers to supply crafted URLs that redirect server-side requests to unintended destinations, bypassing network security boundaries.

Attack Vector

This vulnerability is exploitable remotely over the network without requiring authentication or user interaction. An attacker can craft malicious requests containing specially formatted URLs targeting:

  • Cloud metadata endpoints to harvest instance credentials
  • Internal services not exposed to the public internet
  • Localhost services for information gathering
  • External attacker-controlled servers for data exfiltration

The attack vector leverages the application's ability to make outbound HTTP requests on behalf of the user, effectively turning the vulnerable server into a proxy for unauthorized network access.

For technical exploitation details, refer to the GitHub Gist Exploit Reference which contains proof-of-concept information.

Detection Methods for CVE-2026-6604

Indicators of Compromise

  • Unusual outbound requests from AgentScope servers to cloud metadata IP addresses (e.g., 169.254.169.254, metadata.google.internal)
  • Server logs showing requests with image_url or audio_file_url parameters containing internal IP addresses or localhost references
  • Network traffic from the application server to unexpected internal network segments
  • Requests containing URL schemes other than HTTP/HTTPS (e.g., file://, gopher://, dict://)

Detection Strategies

  • Implement network monitoring rules to alert on outbound connections from AgentScope servers to metadata endpoints or private IP ranges
  • Deploy web application firewall (WAF) rules to detect and block SSRF patterns in request parameters
  • Enable verbose logging for the _openai_tools.py module to capture all URL processing attempts
  • Configure intrusion detection systems (IDS) to flag requests containing internal IP addresses in URL parameters

Monitoring Recommendations

  • Establish baseline network behavior for AgentScope deployments and alert on deviations
  • Monitor for credential usage anomalies that could indicate compromised cloud metadata
  • Implement egress filtering logs and review for unexpected destination patterns
  • Set up alerts for any access attempts to cloud metadata endpoints from application servers

How to Mitigate CVE-2026-6604

Immediate Actions Required

  • Restrict network egress from AgentScope servers using firewall rules to block access to metadata endpoints and internal networks
  • Implement URL validation at the application level using an allow-list approach
  • If cloud-hosted, configure instance metadata service to require IMDSv2 (session tokens) to mitigate SSRF exploitation
  • Review logs for evidence of exploitation and rotate any potentially exposed credentials

Patch Information

At the time of this writing, the vendor (ModelScope) was contacted about this vulnerability but did not respond. Users should monitor the official AgentScope repository for security updates. In the absence of an official patch, implement the workarounds described below.

For additional vulnerability details, see the VulDB Vulnerability #358239 entry and the VulDB Submission #792224.

Workarounds

  • Deploy a network-level block on metadata endpoints (169.254.169.254, metadata.google.internal, etc.) from AgentScope application servers
  • Implement a reverse proxy with URL filtering to validate all outbound requests before processing
  • Consider upgrading to a patched version when available, or fork and patch the affected functions to implement proper URL validation
  • Isolate AgentScope deployments in network segments with restricted access to sensitive internal resources
bash
# Network firewall rule to block metadata endpoint access (iptables example)
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 169.254.0.0/16 -j DROP

# AWS - Require IMDSv2 to mitigate SSRF exploitation
aws ec2 modify-instance-metadata-options \
    --instance-id <instance-id> \
    --http-tokens required \
    --http-endpoint enabled

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.