Skip to content
ATR-2026-00568high工具下毒experimental

Agent SSRF to cloud metadata / file inclusion via unvalidated fetch URL

An agent tool fetches an attacker-controlled URL with no scheme allowlist or private-network block, letting it reach cloud-metadata endpoints (credential theft), local files via file://, or SSRF-only schemes (gopher/dict). Detects those unambiguous internal targets. Generalizes across CVE-2026-40150/40160 (PraisonAIAgents), CVE-2026-7817 (pgAdmin), CVE-2026-45401 (Open WebUI).

嚴重度
high
類別
工具下毒
掃描目標
runtime
作者
ATR Community

建議回應

alert

參考資料

OWASP Agentic
ASI05:2026 - Unexpected Code Execution
OWASP LLM
LLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0049 - Exploit Public-Facing Application

偵測條件

組合方式: any
  1. 01
    Fetch targets a cloud-metadata IP/host, a file:// system path, or a gopher/dict SSRF scheme
    欄位: content運算子: regex

攻擊範例(規則會觸發)

  1. web_crawl("http://169.254.169.254/latest/meta-data/iam/security-credentials/")
  2. api_url=http://metadata.google.internal/computeMetadata/v1/instance/
  3. fetch("file:///etc/passwd")
  4. gopher://127.0.0.1:6379/_FLUSHALL

以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。

正常樣本(規則不會觸發)

  1. benign sample 1
    fetch("https://api.openai.com/v1/chat/completions")
  2. benign sample 2
    url = "http://localhost:8000/health"
  3. benign sample 3
    open("/etc/hostname")
  4. benign sample 4
    crawl("https://example.com/blog")

完整 YAML 定義

在 GitHub 編輯 →
title: Agent SSRF to cloud metadata / file inclusion via unvalidated fetch URL
id: ATR-2026-00568
rule_version: 1
status: experimental
description: An agent tool fetches an attacker-controlled URL with no scheme allowlist or private-network block, letting it reach cloud-metadata endpoints (credential theft), local files via file://, or SSRF-only schemes (gopher/dict). Detects those unambiguous internal targets. Generalizes across CVE-2026-40150/40160 (PraisonAIAgents), CVE-2026-7817 (pgAdmin), CVE-2026-45401 (Open WebUI).
author: ATR Community
date: 2026/06/02
schema_version: '0.1'
detection_tier: pattern
maturity: test
severity: high
references:
  cve:
  - CVE-2026-40150
  - CVE-2026-40160
  - CVE-2026-7817
  - CVE-2026-45401
  cwe:
  - CWE-918
  - CWE-552
  external:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-40150
  owasp_llm:
    - LLM06:2025 - Excessive Agency
  owasp_agentic:
    - ASI05:2026 - Unexpected Code Execution
  mitre_atlas:
    - AML.T0049 - Exploit Public-Facing Application
metadata_provenance:
  cve: human-authored
  cwe: human-authored
compliance:
  eu_ai_act:
    - article: "15"
      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the tool-poisoning technique (Agent SSRF to cloud metadata / file inclusion via unvalidated fetch URL)."
      strength: primary
    - article: "9"
      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the tool-poisoning technique (Agent SSRF to cloud metadata / file inclusion via unvalidated fetch URL)."
      strength: secondary
  nist_ai_rmf:
    - subcategory: "MS.2.7"
      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (Agent SSRF to cloud metadata / file inclusion via unvalidated fetch URL)."
      strength: primary
    - subcategory: "MG.3.2"
      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (Agent SSRF to cloud metadata / file inclusion via unvalidated fetch URL)."
      strength: secondary
  iso_42001:
    - clause: "8.1"
      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the tool-poisoning technique (Agent SSRF to cloud metadata / file inclusion via unvalidated fetch URL)."
      strength: primary
    - clause: "8.3"
      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (Agent SSRF to cloud metadata / file inclusion via unvalidated fetch URL) as a treatment control."
      strength: secondary
tags:
  category: tool-poisoning
  scan_target: runtime
  confidence: high
agent_source:
  type: llm_io
  framework:
  - any
  provider:
  - any
detection:
  condition: any
  false_positives: []
  conditions:
  - field: content
    operator: regex
    value: (?i)(?:169\.254\.169\.254|metadata\.google\.internal|100\.100\.100\.200|fd00:ec2::254)(?:[:/]|\b)|\bfile://(?:/?(?:etc|proc|root|home|var/run|sys)/)|\bgopher://|\bdict://
    description: Fetch targets a cloud-metadata IP/host, a file:// system path, or a gopher/dict SSRF scheme
response:
  actions:
  - alert
  notify:
  - security_team
test_cases:
  true_positives:
  - input: web_crawl("http://169.254.169.254/latest/meta-data/iam/security-credentials/")
    expected: triggered
    description: attack sample 1
  - input: api_url=http://metadata.google.internal/computeMetadata/v1/instance/
    expected: triggered
    description: attack sample 2
  - input: fetch("file:///etc/passwd")
    expected: triggered
    description: attack sample 3
  - input: gopher://127.0.0.1:6379/_FLUSHALL
    expected: triggered
    description: attack sample 4
  true_negatives:
  - input: fetch("https://api.openai.com/v1/chat/completions")
    expected: not_triggered
    description: benign sample 1
  - input: url = "http://localhost:8000/health"
    expected: not_triggered
    description: benign sample 2
  - input: open("/etc/hostname")
    expected: not_triggered
    description: benign sample 3
  - input: crawl("https://example.com/blog")
    expected: not_triggered
    description: benign sample 4

修訂歷史

建立於
2026-06-02
最後修改
2026-07-15
在 GitHub 查看完整 commit 歷史 →