CVE-2026-6606 Overview
CVE-2026-6606 is a Server-Side Request Forgery (SSRF) vulnerability in ModelScope AgentScope versions up to 1.0.18. The flaw resides in the _process_audio_block function within src/agentscope/agent/_agent_base.py. Attackers can manipulate the url argument to force the server to issue requests to attacker-controlled or internal destinations. The issue is remotely exploitable and requires no authentication or user interaction. A public proof-of-concept exists, and the vendor did not respond to disclosure attempts. The weakness is classified under CWE-918.
Critical Impact
Remote, unauthenticated attackers can coerce AgentScope instances into making arbitrary outbound requests, enabling internal network reconnaissance, metadata service abuse, and data exfiltration.
Affected Products
- ModelScope AgentScope versions up to and including 1.0.18
- Deployments invoking _process_audio_block with attacker-controllable URLs
- Agent workflows that accept audio block inputs from untrusted sources
Discovery Timeline
- 2026-04-20 - CVE-2026-6606 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-6606
Vulnerability Analysis
The vulnerability is a Server-Side Request Forgery (SSRF) in the agent base implementation of AgentScope. The _process_audio_block function fetches audio content from a URL supplied by the caller. The function does not validate or restrict the supplied URL against an allowlist of permitted schemes or hosts. As a result, the server processes requests targeting internal services, cloud instance metadata endpoints, or loopback interfaces.
Attackers can leverage this primitive to map internal networks reachable by the AgentScope host. They can also target unauthenticated internal HTTP services and read responses returned to the agent context. In cloud deployments, the SSRF can be aimed at metadata services to retrieve temporary credentials.
Root Cause
The root cause is missing input validation on the url parameter passed into _process_audio_block. The function trusts caller-supplied URLs and performs an outbound network fetch without scheme, host, or IP-range restrictions. There is no enforcement against private address ranges or link-local metadata addresses.
Attack Vector
Exploitation is performed remotely over the network. An attacker submits an audio block referencing a crafted URL pointing to an internal resource such as http://127.0.0.1, http://169.254.169.254, or another internal host. AgentScope dispatches the request from its own context, and response data or side effects flow back through the agent. Public exploit material referenced for this CVE is hosted in the GitHub Gist PoC Repository and tracked in VulDB Vulnerability #358241.
Detection Methods for CVE-2026-6606
Indicators of Compromise
- Outbound HTTP requests from AgentScope hosts to internal RFC1918 ranges or 169.254.169.254.
- Audit log entries showing _process_audio_block calls with URLs referencing non-public hosts.
- Unexpected DNS resolutions for internal hostnames originating from the AgentScope process.
- Cloud metadata service access patterns where none existed before deployment of AgentScope.
Detection Strategies
- Inspect application logs for invocations of _process_audio_block and correlate URLs against an allowlist.
- Monitor egress traffic from the AgentScope host for requests to loopback, private, and link-local addresses.
- Add web application firewall rules that flag inbound payloads containing internal IP literals in audio block fields.
Monitoring Recommendations
- Forward AgentScope process and network telemetry to a centralized analytics platform for correlation.
- Enable cloud provider metadata service auditing and alert on access from workloads that should not require it.
- Track DNS queries from the AgentScope service account and alert on resolutions of internal zones.
How to Mitigate CVE-2026-6606
Immediate Actions Required
- Restrict network egress from AgentScope hosts to an explicit allowlist of required external destinations.
- Block access from AgentScope workloads to cloud metadata endpoints such as 169.254.169.254.
- Validate any caller-supplied URL passed to audio block processing against an allowlist before invocation.
- Disable or gate audio block ingestion from untrusted users until a fixed version is available.
Patch Information
At the time of publication, no vendor patch is referenced in the NVD entry. The vendor did not respond to disclosure. Monitor the ModelScope AgentScope project for updates beyond version 1.0.18 and apply fixes when released. Refer to VulDB Vulnerability #358241 for ongoing tracking.
Workarounds
- Run AgentScope inside a network namespace that denies traffic to private and link-local ranges.
- Use IMDSv2 with hop-limit 1 on AWS to prevent SSRF-based credential theft from instance metadata.
- Proxy all outbound HTTP requests from AgentScope through an egress filter that enforces a host allowlist.
- Patch _process_audio_block locally to reject URLs whose resolved IP falls within private, loopback, or reserved ranges.
# Configuration example: iptables egress restriction for AgentScope host
iptables -A OUTPUT -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -d 169.254.0.0/16 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

