Skip to main content
CVE Vulnerability Database

CVE-2026-6605: modelscope agentscope SSRF Vulnerability

CVE-2026-6605 is a server-side request forgery flaw in modelscope agentscope up to version 1.0.18 that enables remote attackers to manipulate internal services. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-6605 Overview

A Server-Side Request Forgery (SSRF) vulnerability has been discovered in modelscope agentscope versions up to and including 1.0.18. This vulnerability affects the _get_bytes_from_web_url function located in the file src/agentscope/_utils/_common.py of the Internal Service component. By manipulating input parameters, an attacker can perform SSRF attacks to access internal resources, potentially bypassing network security controls and accessing sensitive data from internal services.

Critical Impact

Remote attackers can exploit this SSRF vulnerability to make the server perform requests to internal services, potentially leading to unauthorized access to internal infrastructure, data exfiltration, or further lateral movement within the network.

Affected Products

  • modelscope agentscope versions up to 1.0.18
  • Applications utilizing the Internal Service component with _get_bytes_from_web_url function

Discovery Timeline

  • 2026-04-20 - CVE-2026-6605 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-6605

Vulnerability Analysis

This SSRF vulnerability (CWE-918) resides in the _get_bytes_from_web_url function within the agentscope utility module. The function is responsible for fetching content from web URLs but fails to properly validate and restrict the target URLs that can be requested. This allows attackers to supply crafted URLs pointing to internal network resources, cloud metadata services, or other restricted endpoints.

The vulnerability is remotely exploitable without authentication, meaning any attacker with network access to the affected service can potentially abuse this flaw. The impact includes confidentiality, integrity, and availability concerns, as attackers can read internal data, potentially modify configurations through internal APIs, and cause service disruption.

Root Cause

The root cause of this vulnerability is insufficient input validation in the _get_bytes_from_web_url function. The function does not implement proper URL scheme restrictions, hostname allowlisting, or IP address validation to prevent requests to internal or restricted network resources. This lack of URL sanitization allows user-controlled input to dictate the destination of server-initiated HTTP requests.

Attack Vector

The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by providing a malicious URL to the vulnerable function through the Internal Service component. Common SSRF attack techniques include:

  • Targeting cloud metadata endpoints (e.g., http://169.254.169.254/) to retrieve cloud instance credentials
  • Accessing internal services on localhost or private IP ranges
  • Port scanning internal infrastructure through the vulnerable server
  • Bypassing firewall restrictions to reach otherwise inaccessible services

A proof-of-concept has been publicly released and is available through the GitHub Gist PoC Code. Technical details about this vulnerability are also documented in the VulDB Vulnerability #358240 entry.

Detection Methods for CVE-2026-6605

Indicators of Compromise

  • Unusual outbound requests from the agentscope service to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  • Requests to cloud metadata endpoints (169.254.169.254) from the application server
  • Unexpected network traffic patterns from the Internal Service component
  • Log entries showing URL fetch operations targeting localhost or internal hostnames

Detection Strategies

  • Implement network monitoring to detect server-originated requests to internal IP addresses or metadata endpoints
  • Review application logs for suspicious URL patterns passed to the _get_bytes_from_web_url function
  • Deploy web application firewalls (WAF) with SSRF detection capabilities
  • Monitor for unusual DNS resolution attempts from the application server

Monitoring Recommendations

  • Enable verbose logging for the src/agentscope/_utils/_common.py module to capture all URL fetch requests
  • Set up alerts for network connections from the agentscope service to RFC 1918 private address ranges
  • Implement network segmentation monitoring to detect lateral movement attempts
  • Configure cloud security tools to alert on metadata service access attempts

How to Mitigate CVE-2026-6605

Immediate Actions Required

  • Upgrade modelscope agentscope to a version newer than 1.0.18 when a patch becomes available
  • Implement network-level controls to restrict outbound connections from the agentscope service
  • Deploy input validation at the application layer to block internal URLs and private IP addresses
  • Monitor for exploitation attempts using the detection methods outlined above

Patch Information

No official patch information is currently available from the vendor. According to the vulnerability disclosure, the vendor was contacted but did not respond. Organizations should monitor the official modelscope agentscope repository and security advisories for updates. Additional vulnerability details can be found in the VulDB Submission #792225.

Workarounds

  • Implement a URL allowlist to restrict the _get_bytes_from_web_url function to only fetch from approved external domains
  • Deploy network egress filtering to block requests to internal IP ranges, localhost, and cloud metadata endpoints
  • Use a forward proxy for all outbound requests from the agentscope service with appropriate URL filtering rules
  • Consider disabling or restricting access to the Internal Service component if not required for operations
bash
# Example network-level mitigation using iptables to block internal network access
# Block outbound connections to private IP ranges from the agentscope service
iptables -A OUTPUT -m owner --uid-owner agentscope -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner agentscope -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner agentscope -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -m owner --uid-owner agentscope -d 169.254.169.254 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.