CVE-2026-6604 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been identified in ModelScope AgentScope up to version 1.0.18. This security flaw affects the _parse_url, prepare_image, and openai_audio_to_text functions within the file src/agentscope/tool/_multi_modality/_openai_tools.py, specifically in the Cloud Metadata Endpoint component. An attacker can manipulate the image_url or audio_file_url arguments to perform unauthorized server-side requests to internal or external resources.
Critical Impact
Remote attackers can exploit this SSRF vulnerability to access internal cloud metadata endpoints, potentially exposing sensitive credentials, infrastructure details, and enabling lateral movement within cloud environments.
Affected Products
- ModelScope AgentScope versions up to and including 1.0.18
- Cloud deployments utilizing AgentScope's multi-modality tools
- Systems exposing OpenAI tool integration endpoints
Discovery Timeline
- 2026-04-20 - CVE-2026-6604 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-6604
Vulnerability Analysis
This SSRF vulnerability (CWE-918) exists in the multimodal processing components of AgentScope, specifically where user-supplied URLs are processed without adequate validation. The affected functions—_parse_url, prepare_image, and openai_audio_to_text—accept URL parameters (image_url and audio_file_url) that are subsequently fetched by the server. Without proper URL scheme and destination filtering, attackers can coerce the application into making requests to arbitrary internal or external endpoints.
The vulnerability is particularly concerning in cloud-hosted deployments where access to metadata endpoints (such as AWS's 169.254.169.254, GCP's metadata server, or Azure's Instance Metadata Service) could expose sensitive credentials, API tokens, and infrastructure configuration. The exploit has been publicly disclosed, increasing the risk of active exploitation.
Root Cause
The root cause of this vulnerability is improper input validation in URL handling functions. The affected code paths fail to implement adequate controls to:
- Validate URL schemes (allowing file://, gopher://, or other dangerous protocols)
- Filter destination hosts (permitting requests to private IP ranges and cloud metadata endpoints)
- Implement allow-list based URL validation
- Sanitize or normalize URL inputs before processing
This allows attackers to supply crafted URLs that redirect server-side requests to unintended destinations, bypassing network security boundaries.
Attack Vector
This vulnerability is exploitable remotely over the network without requiring authentication or user interaction. An attacker can craft malicious requests containing specially formatted URLs targeting:
- Cloud metadata endpoints to harvest instance credentials
- Internal services not exposed to the public internet
- Localhost services for information gathering
- External attacker-controlled servers for data exfiltration
The attack vector leverages the application's ability to make outbound HTTP requests on behalf of the user, effectively turning the vulnerable server into a proxy for unauthorized network access.
For technical exploitation details, refer to the GitHub Gist Exploit Reference which contains proof-of-concept information.
Detection Methods for CVE-2026-6604
Indicators of Compromise
- Unusual outbound requests from AgentScope servers to cloud metadata IP addresses (e.g., 169.254.169.254, metadata.google.internal)
- Server logs showing requests with image_url or audio_file_url parameters containing internal IP addresses or localhost references
- Network traffic from the application server to unexpected internal network segments
- Requests containing URL schemes other than HTTP/HTTPS (e.g., file://, gopher://, dict://)
Detection Strategies
- Implement network monitoring rules to alert on outbound connections from AgentScope servers to metadata endpoints or private IP ranges
- Deploy web application firewall (WAF) rules to detect and block SSRF patterns in request parameters
- Enable verbose logging for the _openai_tools.py module to capture all URL processing attempts
- Configure intrusion detection systems (IDS) to flag requests containing internal IP addresses in URL parameters
Monitoring Recommendations
- Establish baseline network behavior for AgentScope deployments and alert on deviations
- Monitor for credential usage anomalies that could indicate compromised cloud metadata
- Implement egress filtering logs and review for unexpected destination patterns
- Set up alerts for any access attempts to cloud metadata endpoints from application servers
How to Mitigate CVE-2026-6604
Immediate Actions Required
- Restrict network egress from AgentScope servers using firewall rules to block access to metadata endpoints and internal networks
- Implement URL validation at the application level using an allow-list approach
- If cloud-hosted, configure instance metadata service to require IMDSv2 (session tokens) to mitigate SSRF exploitation
- Review logs for evidence of exploitation and rotate any potentially exposed credentials
Patch Information
At the time of this writing, the vendor (ModelScope) was contacted about this vulnerability but did not respond. Users should monitor the official AgentScope repository for security updates. In the absence of an official patch, implement the workarounds described below.
For additional vulnerability details, see the VulDB Vulnerability #358239 entry and the VulDB Submission #792224.
Workarounds
- Deploy a network-level block on metadata endpoints (169.254.169.254, metadata.google.internal, etc.) from AgentScope application servers
- Implement a reverse proxy with URL filtering to validate all outbound requests before processing
- Consider upgrading to a patched version when available, or fork and patch the affected functions to implement proper URL validation
- Isolate AgentScope deployments in network segments with restricted access to sensitive internal resources
# Network firewall rule to block metadata endpoint access (iptables example)
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 169.254.0.0/16 -j DROP
# AWS - Require IMDSv2 to mitigate SSRF exploitation
aws ec2 modify-instance-metadata-options \
--instance-id <instance-id> \
--http-tokens required \
--http-endpoint enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
