AI Threat Alert AI Threat Alert

CVE-2026-27795: LangChain: SSRF allows internal network access

MEDIUM
Published February 25, 2026
CISO Take

If your LangChain JS applications use RecursiveUrlLoader—common in RAG pipelines and web-scraping agents—upgrade @langchain/community to 1.1.18 immediately. This is a bypass of the prior SSRF patch (CVE-2026-26019), meaning the attack surface was not fully closed; expect the fix history to raise auditor flags. In cloud environments without IMDSv2 enforcement, successful exploitation leads directly to IAM credential exposure.

Risk Assessment

Rated medium (CVSS 4.1) in isolation, but contextually elevated for cloud-deployed LangChain workloads. The redirect bypass to cloud metadata services (AWS IMDSv1, GCP metadata API at 169.254.169.254) can pivot from low-impact information disclosure to credential harvesting and lateral movement. The fact that this is a second bypass of the same SSRF control (1.1.14 patched CVE-2026-26019; 1.1.18 patches this bypass) signals incomplete threat modeling by the vendor and raises residual risk concerns. Attack complexity is low and privileges required are minimal for authenticated application users.

Severity & Risk

CVSS 3.1
4.1 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 15% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Changed
C Low
I None
A None

Recommended Action

1 step

  1. 1) Patch: Upgrade @langchain/community to >=1.1.18 immediately—this is the only complete fix. 2) Cloud hardening (independent control): Enforce IMDSv2 (token-required mode) on all EC2/cloud instances running LangChain; this blocks the metadata endpoint vector even on unpatched versions. 3) Network egress filtering: Restrict outbound HTTP from LangChain processes to known-safe IP ranges; block RFC1918 and link-local (169.254.0.0/16) ranges at the network layer. 4) Audit: Grep codebase for 'RecursiveUrlLoader' usage and trace all URL input paths to identify user-controllable trust boundaries. 5) Detection: Alert on outbound requests to 169.254.169.254, 100.100.100.200 (Alibaba Cloud), or internal RFC1918 targets originating from LangChain container/process network namespaces. 6) Verify no prior exploitation: Review cloud access logs for unusual IAM credential usage or metadata service calls from LangChain hosts.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Code Execution DoS Framework RAG Agent AML.T0010.001 AML.T0049 AML.T0051.001 AML.T0053 AML.T0085.001 AML.T0086 AML.T0098

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.3 - AI system inputs
NIST AI RMF
GOVERN-1.7 - Processes for identifying and addressing AI risks MANAGE-2.2 - Risk treatment for AI system vulnerabilities
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-27795?

If your LangChain JS applications use RecursiveUrlLoader—common in RAG pipelines and web-scraping agents—upgrade @langchain/community to 1.1.18 immediately. This is a bypass of the prior SSRF patch (CVE-2026-26019), meaning the attack surface was not fully closed; expect the fix history to raise auditor flags. In cloud environments without IMDSv2 enforcement, successful exploitation leads directly to IAM credential exposure.

Is CVE-2026-27795 actively exploited?

No confirmed active exploitation of CVE-2026-27795 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-27795?

1) Patch: Upgrade @langchain/community to >=1.1.18 immediately—this is the only complete fix. 2) Cloud hardening (independent control): Enforce IMDSv2 (token-required mode) on all EC2/cloud instances running LangChain; this blocks the metadata endpoint vector even on unpatched versions. 3) Network egress filtering: Restrict outbound HTTP from LangChain processes to known-safe IP ranges; block RFC1918 and link-local (169.254.0.0/16) ranges at the network layer. 4) Audit: Grep codebase for 'RecursiveUrlLoader' usage and trace all URL input paths to identify user-controllable trust boundaries. 5) Detection: Alert on outbound requests to 169.254.169.254, 100.100.100.200 (Alibaba Cloud), or internal RFC1918 targets originating from LangChain container/process network namespaces. 6) Verify no prior exploitation: Review cloud access logs for unusual IAM credential usage or metadata service calls from LangChain hosts.

What systems are affected by CVE-2026-27795?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, web scraping and document ingestion pipelines, LangChain-powered applications.

What is the CVSS score for CVE-2026-27795?

CVE-2026-27795 has a CVSS v3.1 base score of 4.1 (MEDIUM). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019). Users should upgrade to `@langchain/community` 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating `Location` targets before following them. In this version, automatic redirects are disabled (`redirect: "manual"`), each 3xx `Location` is resolved and validated with `validateSafeUrl()` before the next request, and a maximum redirect limit prevents infinite loops.

Exploitation Scenario

An attacker with authenticated access to a LangChain-based research agent or RAG pipeline submits a request containing a URL pointing to their controlled server (which passes RecursiveUrlLoader's initial URL validation). The attacker's server responds with an HTTP 301 redirect to http://169.254.169.254/latest/meta-data/iam/security-credentials/. On versions 1.1.14–1.1.17, the loader follows the redirect without revalidating the Location header. The metadata endpoint returns IAM role credentials as plain text, which the loader ingests as a document. Depending on application design, these credentials may be passed to the LLM as context, stored in the RAG vector database, or surfaced in API responses. The attacker retrieves the credentials and uses them to access AWS resources—S3 buckets, Secrets Manager, or RDS—outside the application's intended scope.

Weaknesses (CWE)

CWE-918 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

References

Timeline

Published
February 25, 2026
Last Modified
February 27, 2026
First Seen
February 25, 2026

Related Vulnerabilities

CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Code Execution
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Code Execution
Back to Threat Feed