CVE-2026-26019 — MEDIUM (CVSS 4.1) AI Security Vulnerability

CISO Take

CVE-2026-26019 is an SSRF vulnerability in LangChain's RecursiveUrlLoader — if you're using it in any RAG ingestion pipeline or web research agent, an attacker controlling any page in the crawl path can redirect your crawler to cloud metadata endpoints (AWS IMDSv1, GCP metadata) or internal RFC 1918 infrastructure. Upgrade @langchain/community to 1.1.14 immediately. If you cannot patch today, disable RecursiveUrlLoader or enforce network-level SSRF controls (IMDSv2 enforcement, block 169.254.169.254 at the firewall).

Risk Assessment

Nominal CVSS is 4.1 (Medium), but contextual risk is significantly elevated in cloud-hosted AI workloads. The SSRF can reach AWS IMDSv1 without requiring token headers, enabling IAM credential theft that breaks the CVSS scope. In environments running LangChain agents on EC2, ECS, or Lambda, successful exploitation could escalate to account-level compromise. The attack requires the crawler to visit an attacker-influenced page (UI:R), making this realistic only in real-world crawl operations — not a theoretical edge case for LLM-powered research agents.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain_community	pip	—	No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Do you use langchain_community? You're affected.

Severity & Risk

CVSS 3.1

4.1 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR Low

UI Required

S Changed

C Low

I None

A None

Recommended Action

5 steps

PATCH

Upgrade @langchain/community to >= 1.1.14 immediately. Verify package-lock.json or yarn.lock reflects the update.
NETWORK CONTROLS

Enforce IMDSv2 (token-required) on all EC2/ECS instances running LangChain workloads. Block access to 169.254.169.254 via iptables/security groups. Block RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) from application-layer outbound requests.
WORKAROUND (if unable to patch): Replace RecursiveUrlLoader with a custom crawler that validates URLs against a semantic parser and an explicit allowlist, not string prefix matching.
DETECTION

Monitor for outbound requests to 169.254.169.254, ::1, or private IP ranges from LangChain application pods/containers. Alert on HTTP requests from application processes to cloud metadata endpoints.
AUDIT

Review all usages of RecursiveUrlLoader in your codebase, especially those accepting URLs from user input or external data sources.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Framework RAG Agent AML.T0006 - Active Scanning AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0064 - Gather RAG-Indexed Targets AML.T0075 - Cloud Service Discovery AML.T0085 - Data from AI Services

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.1.5 - Information Security for AI Systems A.6.2.6 - Risk treatment for AI systems A.9.4 - AI system security

NIST AI RMF

GOVERN-6.2 - Organizational policies and practices for AI risk management MANAGE-2.2 - Mechanisms to sustain AI risk management MANAGE-2.4 - Risk Treatment and Vulnerability Mitigation

OWASP LLM Top 10

LLM01 - Prompt Injection LLM03:2025 - Supply Chain Vulnerabilities LLM05 - Supply Chain Vulnerabilities LLM06:2025 - Excessive Agency LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-26019?

CVE-2026-26019 is an SSRF vulnerability in LangChain's RecursiveUrlLoader — if you're using it in any RAG ingestion pipeline or web research agent, an attacker controlling any page in the crawl path can redirect your crawler to cloud metadata endpoints (AWS IMDSv1, GCP metadata) or internal RFC 1918 infrastructure. Upgrade @langchain/community to 1.1.14 immediately. If you cannot patch today, disable RecursiveUrlLoader or enforce network-level SSRF controls (IMDSv2 enforcement, block 169.254.169.254 at the firewall).

Is CVE-2026-26019 actively exploited?

No confirmed active exploitation of CVE-2026-26019 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-26019?

1. PATCH: Upgrade @langchain/community to >= 1.1.14 immediately. Verify package-lock.json or yarn.lock reflects the update. 2. NETWORK CONTROLS: Enforce IMDSv2 (token-required) on all EC2/ECS instances running LangChain workloads. Block access to 169.254.169.254 via iptables/security groups. Block RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) from application-layer outbound requests. 3. WORKAROUND (if unable to patch): Replace RecursiveUrlLoader with a custom crawler that validates URLs against a semantic parser and an explicit allowlist, not string prefix matching. 4. DETECTION: Monitor for outbound requests to 169.254.169.254, ::1, or private IP ranges from LangChain application pods/containers. Alert on HTTP requests from application processes to cloud metadata endpoints. 5. AUDIT: Review all usages of RecursiveUrlLoader in your codebase, especially those accepting URLs from user input or external data sources.

What systems are affected by CVE-2026-26019?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, web scraping and document ingestion pipelines, LLM-powered research agents, autonomous AI agents with web access.

What is the CVSS score for CVE-2026-26019?

CVE-2026-26019 has a CVSS v3.1 base score of 4.1 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option (enabled by default) is intended to restrict crawling to the same site as the base URL. The implementation used String.startsWith() to compare URLs, which does not perform semantic URL validation. An attacker who controls content on a crawled page could include links to domains that share a string prefix with the target, causing the crawler to follow links to attacker-controlled or internal infrastructure. Additionally, the crawler performed no validation against private or reserved IP addresses. A crawled page could include links targeting cloud metadata services, localhost, or RFC 1918 addresses, and the crawler would fetch them without restriction. This vulnerability is fixed in 1.1.14.

Exploitation Scenario

An adversary targeting a company that uses a LangChain-powered research agent for competitive intelligence identifies that the agent crawls industry news sites. The adversary compromises or creates a page on a domain sharing a prefix with the crawl target (e.g., target-news.com vs target-news.com.attacker.com) or embeds a link to http://169.254.169.254/latest/meta-data/iam/security-credentials/ on a page the crawler will visit. When the research agent's RecursiveUrlLoader processes the malicious page, it follows the link without validation, fetches the AWS metadata endpoint, and the response (containing temporary IAM credentials) is processed as content — potentially stored in the RAG database or logged. The attacker can then query the agent or access logs to extract the credentials and pivot to the cloud account.