AI Threat Alert AI Threat Alert

CVE-2026-26013: langchain-core: SSRF allows internal network access

GHSA-2g6r-c272-w58r LOW
Published February 10, 2026
CISO Take

LangChain SSRF in token counting for vision models allows unauthenticated attackers to trigger internal network requests by supplying malicious image URLs in multimodal inputs. CVSS 3.7 understates real-world risk: in cloud-hosted AI applications, SSRF reaches cloud metadata services (AWS IMDSv1, GCP), enabling credential theft beyond the stated availability-only impact. Patch to langchain-core >= 1.2.11 now; any public-facing LangChain app accepting vision inputs is exposed.

Risk Assessment

Effective risk is MEDIUM despite Low CVSS. AC:H is questionable in practice — any application accepting user-supplied multimodal messages satisfies the attack condition with no special setup. The CVSS vector only credits A:L, but SSRF in cloud environments routinely yields credential exfiltration via IMDSv1 endpoints, misrepresenting the confidentiality impact. Not in KEV and no known active exploitation, but the exploitation path is trivial once the condition is met. Exposure is broad: LangChain is the dominant LLM framework, and vision model usage is growing rapidly.

Affected Systems

Package Ecosystem Vulnerable Range Patched
langchain-core pip < 1.2.11 1.2.11
135.7K OpenSSF 6.5 4.3K dependents Pushed 7d ago 88% patched ~20d to patch Full package profile →
langchain_core pip No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Severity & Risk

CVSS 3.1
3.7 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 5% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

Attack Surface

AV AC PR UI S C I A
AV Network
AC High
PR None
UI None
S Unchanged
C None
I None
A Low

Recommended Action

5 steps

  1. Patch: Upgrade langchain-core to >= 1.2.11 immediately. Run pip show langchain-core to confirm version.

  2. Workaround if patching is blocked: Validate and allowlist image URLs in user input before passing to ChatOpenAI — reject non-HTTPS URLs and URLs resolving to RFC 1918/link-local ranges.

  3. Cloud hardening: Enable IMDSv2 (hop limit = 1) on all EC2/GCE instances running LangChain to block metadata SSRF impact. Disable IMDSv1 explicitly.

  4. Network controls: Restrict egress from LangChain application hosts to required destinations only; block 169.254.169.254, 100.100.100.200, and internal RFC 1918 ranges at the host firewall.

  5. Detection: Log and alert on outbound HTTP requests from LLM application processes to non-approved destinations. Monitor for requests to metadata endpoints in application logs.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Framework RAG Agent AML.T0006 AML.T0010.001 AML.T0049 AML.T0051.001 AML.T0053 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2.3 - AI system input controls A.8.4 - AI system input controls A.9.1 - Security of AI systems A.9.3 - AI system vulnerability management
NIST AI RMF
GOVERN 1.7 - Processes and procedures are in place for decommissioning and phasing out AI systems MANAGE 2.2 - Mechanisms for managing AI risks are in place
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities LLM05:2025 - Supply Chain Vulnerabilities LLM07 - System Prompt Leakage LLM07:2025 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-26013?

LangChain SSRF in token counting for vision models allows unauthenticated attackers to trigger internal network requests by supplying malicious image URLs in multimodal inputs. CVSS 3.7 understates real-world risk: in cloud-hosted AI applications, SSRF reaches cloud metadata services (AWS IMDSv1, GCP), enabling credential theft beyond the stated availability-only impact. Patch to langchain-core >= 1.2.11 now; any public-facing LangChain app accepting vision inputs is exposed.

Is CVE-2026-26013 actively exploited?

No confirmed active exploitation of CVE-2026-26013 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-26013?

1. Patch: Upgrade langchain-core to >= 1.2.11 immediately. Run `pip show langchain-core` to confirm version. 2. Workaround if patching is blocked: Validate and allowlist image URLs in user input before passing to ChatOpenAI — reject non-HTTPS URLs and URLs resolving to RFC 1918/link-local ranges. 3. Cloud hardening: Enable IMDSv2 (hop limit = 1) on all EC2/GCE instances running LangChain to block metadata SSRF impact. Disable IMDSv1 explicitly. 4. Network controls: Restrict egress from LangChain application hosts to required destinations only; block 169.254.169.254, 100.100.100.200, and internal RFC 1918 ranges at the host firewall. 5. Detection: Log and alert on outbound HTTP requests from LLM application processes to non-approved destinations. Monitor for requests to metadata endpoints in application logs.

What systems are affected by CVE-2026-26013?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks (LangChain-based), Vision/multimodal LLM pipelines, Multi-tenant SaaS LLM applications, RAG pipelines with image ingestion, Model serving with user-controlled multimodal inputs.

What is the CVSS score for CVE-2026-26013?

CVE-2026-26013 has a CVSS v3.1 base score of 3.7 (LOW). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.

Exploitation Scenario

Attacker submits a multimodal chat message to a public-facing LangChain application (e.g., a GPT-4o assistant accepting images): the message contains a `image_url` pointing to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` (AWS IMDSv1). When the application calls `get_num_tokens_from_messages()` to estimate cost/context before the LLM call, LangChain fetches the URL server-side without validation. On an EC2 host with IMDSv1 enabled, the response returns IAM role credentials with full AWS access. The attacker never needs to interact with the LLM itself — the vulnerability fires in the preprocessing step, making it invisible to LLM-level input filtering.

Weaknesses (CWE)

CWE-918 Primary CWE-918 Server-Side Request Forgery (SSRF) Primary

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

References

Timeline

Published
February 10, 2026
Last Modified
March 17, 2026
First Seen
February 10, 2026

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed