AI Threat Alert

CVE-2026-26019: langchain_community: SSRF allows internal network access

MEDIUM
Published February 11, 2026
CISO Take

CVE-2026-26019 is an SSRF vulnerability in LangChain's RecursiveUrlLoader — if you're using it in any RAG ingestion pipeline or web research agent, an attacker controlling any page in the crawl path can redirect your crawler to cloud metadata endpoints (AWS IMDSv1, GCP metadata) or internal RFC 1918 infrastructure. Upgrade @langchain/community to 1.1.14 immediately. If you cannot patch today, disable RecursiveUrlLoader or enforce network-level SSRF controls (IMDSv2 enforcement, block 169.254.169.254 at the firewall).

What is the risk?

Nominal CVSS is 4.1 (Medium), but contextual risk is significantly elevated in cloud-hosted AI workloads. The SSRF can reach AWS IMDSv1 without requiring token headers, enabling IAM credential theft that breaks the CVSS scope. In environments running LangChain agents on EC2, ECS, or Lambda, successful exploitation could escalate to account-level compromise. The attack requires the crawler to visit an attacker-influenced page (UI:R), making this realistic only in real-world crawl operations — not a theoretical edge case for LLM-powered research agents.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1
4.1 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 29% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Changed
C Low
I None
A None

What should I do?

5 steps

  1. PATCH

    Upgrade @langchain/community to >= 1.1.14 immediately. Verify package-lock.json or yarn.lock reflects the update.

  2. NETWORK CONTROLS

    Enforce IMDSv2 (token-required) on all EC2/ECS instances running LangChain workloads. Block access to 169.254.169.254 via iptables/security groups. Block RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) from application-layer outbound requests.

  3. WORKAROUND (if unable to patch): Replace RecursiveUrlLoader with a custom crawler that validates URLs against a semantic parser and an explicit allowlist, not string prefix matching.

  4. DETECTION

    Monitor for outbound requests to 169.254.169.254, ::1, or private IP ranges from LangChain application pods/containers. Alert on HTTP requests from application processes to cloud metadata endpoints.

  5. AUDIT

    Review all usages of RecursiveUrlLoader in your codebase, especially those accepting URLs from user input or external data sources.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Framework RAG Agent AML.T0006 AML.T0010.001 AML.T0049 AML.T0051.001 AML.T0053 AML.T0064 AML.T0075 AML.T0085

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.1.5 - Information Security for AI Systems A.6.2.6 - Risk treatment for AI systems A.9.4 - AI system security
NIST AI RMF
GOVERN-6.2 - Organizational policies and practices for AI risk management MANAGE-2.2 - Mechanisms to sustain AI risk management MANAGE-2.4 - Risk Treatment and Vulnerability Mitigation
OWASP LLM Top 10
LLM01 - Prompt Injection LLM03:2025 - Supply Chain Vulnerabilities LLM05 - Supply Chain Vulnerabilities LLM06:2025 - Excessive Agency LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-26019?

CVE-2026-26019 is an SSRF vulnerability in LangChain's RecursiveUrlLoader — if you're using it in any RAG ingestion pipeline or web research agent, an attacker controlling any page in the crawl path can redirect your crawler to cloud metadata endpoints (AWS IMDSv1, GCP metadata) or internal RFC 1918 infrastructure. Upgrade @langchain/community to 1.1.14 immediately. If you cannot patch today, disable RecursiveUrlLoader or enforce network-level SSRF controls (IMDSv2 enforcement, block 169.254.169.254 at the firewall).

Is CVE-2026-26019 actively exploited?

No confirmed active exploitation of CVE-2026-26019 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-26019?

1. PATCH: Upgrade @langchain/community to >= 1.1.14 immediately. Verify package-lock.json or yarn.lock reflects the update. 2. NETWORK CONTROLS: Enforce IMDSv2 (token-required) on all EC2/ECS instances running LangChain workloads. Block access to 169.254.169.254 via iptables/security groups. Block RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) from application-layer outbound requests. 3. WORKAROUND (if unable to patch): Replace RecursiveUrlLoader with a custom crawler that validates URLs against a semantic parser and an explicit allowlist, not string prefix matching. 4. DETECTION: Monitor for outbound requests to 169.254.169.254, ::1, or private IP ranges from LangChain application pods/containers. Alert on HTTP requests from application processes to cloud metadata endpoints. 5. AUDIT: Review all usages of RecursiveUrlLoader in your codebase, especially those accepting URLs from user input or external data sources.

What systems are affected by CVE-2026-26019?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, web scraping and document ingestion pipelines, LLM-powered research agents, autonomous AI agents with web access.

What is the CVSS score for CVE-2026-26019?

CVE-2026-26019 has a CVSS v3.1 base score of 4.1 (MEDIUM). The EPSS exploitation probability is 0.37%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesagent frameworksweb scraping and document ingestion pipelinesLLM-powered research agentsautonomous AI agents with web access

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0010.001 AI Software
AML.T0049 Exploit Public-Facing Application
AML.T0051.001 Indirect
AML.T0053 AI Agent Tool Invocation
AML.T0064 Gather RAG-Indexed Targets
AML.T0075 Cloud Service Discovery
AML.T0085 Data from AI Services

Compliance Controls Affected

EU AI Act: Art. 15, Article 15
ISO 42001: A.6.1.5, A.6.2.6, A.9.4
NIST AI RMF: GOVERN-6.2, MANAGE-2.2, MANAGE-2.4
OWASP LLM Top 10: LLM01, LLM03:2025, LLM05, LLM06:2025, LLM07

What are the technical details?

Original Advisory

LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option (enabled by default) is intended to restrict crawling to the same site as the base URL. The implementation used String.startsWith() to compare URLs, which does not perform semantic URL validation. An attacker who controls content on a crawled page could include links to domains that share a string prefix with the target, causing the crawler to follow links to attacker-controlled or internal infrastructure. Additionally, the crawler performed no validation against private or reserved IP addresses. A crawled page could include links targeting cloud metadata services, localhost, or RFC 1918 addresses, and the crawler would fetch them without restriction. This vulnerability is fixed in 1.1.14.

Exploitation Scenario

An adversary targeting a company that uses a LangChain-powered research agent for competitive intelligence identifies that the agent crawls industry news sites. The adversary compromises or creates a page on a domain sharing a prefix with the crawl target (e.g., target-news.com vs target-news.com.attacker.com) or embeds a link to http://169.254.169.254/latest/meta-data/iam/security-credentials/ on a page the crawler will visit. When the research agent's RecursiveUrlLoader processes the malicious page, it follows the link without validation, fetches the AWS metadata endpoint, and the response (containing temporary IAM credentials) is processed as content — potentially stored in the RAG database or logged. The attacker can then query the agent or access logs to extract the credentials and pivot to the cloud account.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

References

Timeline

Published
February 11, 2026
Last Modified
February 19, 2026
First Seen
February 11, 2026

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed