ATR-2026-00568high工具下毒experimental
Agent SSRF to cloud metadata / file inclusion via unvalidated fetch URL
An agent tool fetches an attacker-controlled URL with no scheme allowlist or private-network block, letting it reach cloud-metadata endpoints (credential theft), local files via file://, or SSRF-only schemes (gopher/dict). Detects those unambiguous internal targets. Generalizes across CVE-2026-40150/40160 (PraisonAIAgents), CVE-2026-7817 (pgAdmin), CVE-2026-45401 (Open WebUI).
嚴重度
high
類別
工具下毒
掃描目標
runtime
作者
ATR Community
建議回應
alert
參考資料
OWASP Agentic
ASI05:2026 - Unexpected Code Execution
OWASP LLM
LLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0049 - Exploit Public-Facing Application
偵測條件
組合方式: any- 01Fetch targets a cloud-metadata IP/host, a file:// system path, or a gopher/dict SSRF scheme欄位: content運算子: regex
攻擊範例(規則會觸發)
web_crawl("http://169.254.169.254/latest/meta-data/iam/security-credentials/")api_url=http://metadata.google.internal/computeMetadata/v1/instance/
fetch("file:///etc/passwd")gopher://127.0.0.1:6379/_FLUSHALL
以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。
正常樣本(規則不會觸發)
- benign sample 1
fetch("https://api.openai.com/v1/chat/completions") - benign sample 2
url = "http://localhost:8000/health"
- benign sample 3
open("/etc/hostname") - benign sample 4
crawl("https://example.com/blog")
完整 YAML 定義
在 GitHub 編輯 →title: Agent SSRF to cloud metadata / file inclusion via unvalidated fetch URL
id: ATR-2026-00568
rule_version: 1
status: experimental
description: An agent tool fetches an attacker-controlled URL with no scheme allowlist or private-network block, letting it reach cloud-metadata endpoints (credential theft), local files via file://, or SSRF-only schemes (gopher/dict). Detects those unambiguous internal targets. Generalizes across CVE-2026-40150/40160 (PraisonAIAgents), CVE-2026-7817 (pgAdmin), CVE-2026-45401 (Open WebUI).
author: ATR Community
date: 2026/06/02
schema_version: '0.1'
detection_tier: pattern
maturity: test
severity: high
references:
cve:
- CVE-2026-40150
- CVE-2026-40160
- CVE-2026-7817
- CVE-2026-45401
cwe:
- CWE-918
- CWE-552
external:
- https://nvd.nist.gov/vuln/detail/CVE-2026-40150
owasp_llm:
- LLM06:2025 - Excessive Agency
owasp_agentic:
- ASI05:2026 - Unexpected Code Execution
mitre_atlas:
- AML.T0049 - Exploit Public-Facing Application
metadata_provenance:
cve: human-authored
cwe: human-authored
compliance:
eu_ai_act:
- article: "15"
context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the tool-poisoning technique (Agent SSRF to cloud metadata / file inclusion via unvalidated fetch URL)."
strength: primary
- article: "9"
context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the tool-poisoning technique (Agent SSRF to cloud metadata / file inclusion via unvalidated fetch URL)."
strength: secondary
nist_ai_rmf:
- subcategory: "MS.2.7"
context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the tool-poisoning technique (Agent SSRF to cloud metadata / file inclusion via unvalidated fetch URL)."
strength: primary
- subcategory: "MG.3.2"
context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the tool-poisoning technique (Agent SSRF to cloud metadata / file inclusion via unvalidated fetch URL)."
strength: secondary
iso_42001:
- clause: "8.1"
context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the tool-poisoning technique (Agent SSRF to cloud metadata / file inclusion via unvalidated fetch URL)."
strength: primary
- clause: "8.3"
context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the tool-poisoning technique (Agent SSRF to cloud metadata / file inclusion via unvalidated fetch URL) as a treatment control."
strength: secondary
tags:
category: tool-poisoning
scan_target: runtime
confidence: high
agent_source:
type: llm_io
framework:
- any
provider:
- any
detection:
condition: any
false_positives: []
conditions:
- field: content
operator: regex
value: (?i)(?:169\.254\.169\.254|metadata\.google\.internal|100\.100\.100\.200|fd00:ec2::254)(?:[:/]|\b)|\bfile://(?:/?(?:etc|proc|root|home|var/run|sys)/)|\bgopher://|\bdict://
description: Fetch targets a cloud-metadata IP/host, a file:// system path, or a gopher/dict SSRF scheme
response:
actions:
- alert
notify:
- security_team
test_cases:
true_positives:
- input: web_crawl("http://169.254.169.254/latest/meta-data/iam/security-credentials/")
expected: triggered
description: attack sample 1
- input: api_url=http://metadata.google.internal/computeMetadata/v1/instance/
expected: triggered
description: attack sample 2
- input: fetch("file:///etc/passwd")
expected: triggered
description: attack sample 3
- input: gopher://127.0.0.1:6379/_FLUSHALL
expected: triggered
description: attack sample 4
true_negatives:
- input: fetch("https://api.openai.com/v1/chat/completions")
expected: not_triggered
description: benign sample 1
- input: url = "http://localhost:8000/health"
expected: not_triggered
description: benign sample 2
- input: open("/etc/hostname")
expected: not_triggered
description: benign sample 3
- input: crawl("https://example.com/blog")
expected: not_triggered
description: benign sample 4