Pydantic AI Updates: May 23, 2026

1. Pydantic AI v1.102.0 patches an IPv6 SSRF blocklist bypass and tightens Bedrock strict-mode handling

Pydantic AI. v1.102.0 lands a security fix for GHSA-cg7w-rg45-pc59, expanding IPv6 transition-form handling in URL validation to close an SSRF cloud-metadata blocklist bypass that affected FileUrl callers running with force_download='allow-local' against untrusted URLs in NAT64 or ISATAP environments. Bundled integrations such as Agent.to_web, VercelAIAdapter, and AGUIAdapter were not exposed, and standard dual-stack cloud VMs and containers are unaffected. The release also stops Bedrock from auto-promoting strict=None tools to strict mode on outdated botocore versions, disables native structured output for Claude Opus 4.7 on Bedrock, kills a false-positive variable_instructions span attribute in instrumentation, lets VercelAIAdapter accept providerExecuted and title on dynamic-tool messages, and normalizes trailing dots and case sensitivity in WebFetchTool domain matching. Source

2. v2.0.0b3 backports the v1.102.0 fixes into the V2 beta with no new breaking changes

Pydantic AI. The third V2 beta cuts about five minutes after v1.102.0 and mirrors it exactly, pulling the same IPv6 SSRF patch, the Bedrock strict-mode and Claude Opus 4.7 structured-output adjustments, the instrumentation span fix, the VercelAIAdapter dynamic-tool message handling, and the WebFetchTool domain normalization into the V2 line without introducing any new breaking changes on top of v2.0.0b1. The lockstep cadence keeps the V2 beta on parity with the 1.x stable track as the team continues pushing toward a stable V2.0 cut. Source