CVE-2026-26013: LangChain Core SSRF — LOW

CISO Take

LangChain SSRF in token counting for vision models allows unauthenticated attackers to trigger internal network requests by supplying malicious image URLs in multimodal inputs. CVSS 3.7 understates real-world risk: in cloud-hosted AI applications, SSRF reaches cloud metadata services (AWS IMDSv1, GCP), enabling credential theft beyond the stated availability-only impact. Patch to langchain-core >= 1.2.11 now; any public-facing LangChain app accepting vision inputs is exposed.

What is the risk?

Effective risk is MEDIUM despite Low CVSS. AC:H is questionable in practice — any application accepting user-supplied multimodal messages satisfies the attack condition with no special setup. The CVSS vector only credits A:L, but SSRF in cloud environments routinely yields credential exfiltration via IMDSv1 endpoints, misrepresenting the confidentiality impact. Not in KEV and no known active exploitation, but the exploitation path is trivial once the condition is met. Exposure is broad: LangChain is the dominant LLM framework, and vision model usage is growing rapidly.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LangChain Core	pip	< 1.2.11	`1.2.11`
139.8K OpenSSF 5.9 4.8K dependents Pushed 2d ago 78% patched ~23d to patch Full package profile →
LangChain	pip	—	No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

How severe is it?

CVSS 3.1

3.7 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 29% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC High

PR None

UI None

S Unchanged

C None

I None

A Low

What should I do?

5 steps

Patch: Upgrade langchain-core to >= 1.2.11 immediately. Run pip show langchain-core to confirm version.
Workaround if patching is blocked: Validate and allowlist image URLs in user input before passing to ChatOpenAI — reject non-HTTPS URLs and URLs resolving to RFC 1918/link-local ranges.
Cloud hardening: Enable IMDSv2 (hop limit = 1) on all EC2/GCE instances running LangChain to block metadata SSRF impact. Disable IMDSv1 explicitly.
Network controls: Restrict egress from LangChain application hosts to required destinations only; block 169.254.169.254, 100.100.100.200, and internal RFC 1918 ranges at the host firewall.
Detection: Log and alert on outbound HTTP requests from LLM application processes to non-approved destinations. Monitor for requests to metadata endpoints in application logs.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Framework RAG Agent AML.T0006 - Active Scanning AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.3 - AI system input controls A.8.4 - AI system input controls A.9.1 - Security of AI systems A.9.3 - AI system vulnerability management

NIST AI RMF

GOVERN 1.7 - Processes and procedures are in place for decommissioning and phasing out AI systems MANAGE 2.2 - Mechanisms for managing AI risks are in place

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM05:2025 - Supply Chain Vulnerabilities LLM07 - System Prompt Leakage LLM07:2025 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-26013?

LangChain SSRF in token counting for vision models allows unauthenticated attackers to trigger internal network requests by supplying malicious image URLs in multimodal inputs. CVSS 3.7 understates real-world risk: in cloud-hosted AI applications, SSRF reaches cloud metadata services (AWS IMDSv1, GCP), enabling credential theft beyond the stated availability-only impact. Patch to langchain-core >= 1.2.11 now; any public-facing LangChain app accepting vision inputs is exposed.

Is CVE-2026-26013 actively exploited?

No confirmed active exploitation of CVE-2026-26013 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-26013?

1. Patch: Upgrade langchain-core to >= 1.2.11 immediately. Run `pip show langchain-core` to confirm version. 2. Workaround if patching is blocked: Validate and allowlist image URLs in user input before passing to ChatOpenAI — reject non-HTTPS URLs and URLs resolving to RFC 1918/link-local ranges. 3. Cloud hardening: Enable IMDSv2 (hop limit = 1) on all EC2/GCE instances running LangChain to block metadata SSRF impact. Disable IMDSv1 explicitly. 4. Network controls: Restrict egress from LangChain application hosts to required destinations only; block 169.254.169.254, 100.100.100.200, and internal RFC 1918 ranges at the host firewall. 5. Detection: Log and alert on outbound HTTP requests from LLM application processes to non-approved destinations. Monitor for requests to metadata endpoints in application logs.

What systems are affected by CVE-2026-26013?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks (LangChain-based), Vision/multimodal LLM pipelines, Multi-tenant SaaS LLM applications, RAG pipelines with image ingestion, Model serving with user-controlled multimodal inputs.

What is the CVSS score for CVE-2026-26013?

CVE-2026-26013 has a CVSS v3.1 base score of 3.7 (LOW). The EPSS exploitation probability is 0.38%.

What is the AI security impact?

Affected AI Architectures

Agent frameworks (LangChain-based)Vision/multimodal LLM pipelinesMulti-tenant SaaS LLM applicationsRAG pipelines with image ingestionModel serving with user-controlled multimodal inputs

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0051.001 Indirect

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art. 15, Article 15, Article 9

ISO 42001: A.6.2.3, A.8.4, A.9.1, A.9.3

NIST AI RMF: GOVERN 1.7, MANAGE 2.2

OWASP LLM Top 10: LLM03, LLM05:2025, LLM07, LLM07:2025

What are the technical details?

Original Advisory

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.

Exploitation Scenario

Attacker submits a multimodal chat message to a public-facing LangChain application (e.g., a GPT-4o assistant accepting images): the message contains a `image_url` pointing to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` (AWS IMDSv1). When the application calls `get_num_tokens_from_messages()` to estimate cost/context before the LLM call, LangChain fetches the URL server-side without validation. On an EC2 host with IMDSv1 enabled, the response returns IAM role credentials with full AWS access. The attacker never needs to interact with the LLM itself — the vulnerability fires in the preprocessing step, making it invisible to LLM-level input filtering.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.