AI Threat Alert
CVE-2026-41481: LangChain: SSRF redirect bypass exposes internal endpoints
MEDIUMLangChain's HTMLHeaderTextSplitter validated user-supplied URLs before fetching, but failed to revalidate redirect targets, allowing an attacker to pivot from an approved URL to internal services such as cloud metadata endpoints (AWS IMDS at 169.254.169.254, GCP metadata server) or localhost APIs. Although CVSS is 6.5 and no public exploit exists, the EPSS percentile places this in the top 89% of exploited CVEs — a meaningful signal for a widely deployed LLM framework used in RAG and agent pipelines where URL ingestion is common. Any application that reflects Document contents back to the requester who supplied the URL creates a direct cloud credential exfiltration path. Upgrade to langchain-text-splitters 1.1.2 immediately; as a workaround, disable redirect following by patching the fetch call or validating resolved URLs post-redirect before processing.
What is the risk?
Medium CVSS (6.5) understates real-world risk for AI/ML deployments. SSRF in an LLM framework used for web content ingestion is particularly dangerous because: (1) RAG pipelines routinely accept user-supplied URLs for document loading, (2) cloud metadata endpoints expose IAM credentials that enable lateral movement, and (3) Document objects are often fed directly into LLM context, creating a secondary path where internal data influences model outputs. The User Interaction requirement (an end-user must supply the URL) limits mass exploitation but not targeted attacks on multi-tenant AI platforms.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| LangChain | pip | — | No patch |
Do you use LangChain? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
PATCH
Upgrade langchain-text-splitters to >= 1.1.2 immediately.
-
WORKAROUND (if patching is blocked): Override the fetch logic to pass allow_redirects=False, then manually validate the redirect Location header against an allowlist before following.
-
INPUT VALIDATION
Enforce an explicit allowlist of trusted domains before passing URLs to any LangChain text splitter.
-
NETWORK CONTROLS
Apply egress filtering on the LangChain process to block access to 169.254.169.254 (AWS/GCP/Azure metadata), 100.100.100.200 (Alibaba), and RFC-1918 ranges.
-
DETECTION
Monitor for outbound HTTP requests from your LLM application tier to link-local (169.254/16) or loopback addresses; alert on any 3xx redirect chains that resolve to these ranges.
-
AUDIT
Review pipeline code for all HTMLHeaderTextSplitter usages that accept user-supplied URLs.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-41481?
LangChain's HTMLHeaderTextSplitter validated user-supplied URLs before fetching, but failed to revalidate redirect targets, allowing an attacker to pivot from an approved URL to internal services such as cloud metadata endpoints (AWS IMDS at 169.254.169.254, GCP metadata server) or localhost APIs. Although CVSS is 6.5 and no public exploit exists, the EPSS percentile places this in the top 89% of exploited CVEs — a meaningful signal for a widely deployed LLM framework used in RAG and agent pipelines where URL ingestion is common. Any application that reflects Document contents back to the requester who supplied the URL creates a direct cloud credential exfiltration path. Upgrade to langchain-text-splitters 1.1.2 immediately; as a workaround, disable redirect following by patching the fetch call or validating resolved URLs post-redirect before processing.
Is CVE-2026-41481 actively exploited?
No confirmed active exploitation of CVE-2026-41481 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-41481?
1. PATCH: Upgrade langchain-text-splitters to >= 1.1.2 immediately. 2. WORKAROUND (if patching is blocked): Override the fetch logic to pass allow_redirects=False, then manually validate the redirect Location header against an allowlist before following. 3. INPUT VALIDATION: Enforce an explicit allowlist of trusted domains before passing URLs to any LangChain text splitter. 4. NETWORK CONTROLS: Apply egress filtering on the LangChain process to block access to 169.254.169.254 (AWS/GCP/Azure metadata), 100.100.100.200 (Alibaba), and RFC-1918 ranges. 5. DETECTION: Monitor for outbound HTTP requests from your LLM application tier to link-local (169.254/16) or loopback addresses; alert on any 3xx redirect chains that resolve to these ranges. 6. AUDIT: Review pipeline code for all HTMLHeaderTextSplitter usages that accept user-supplied URLs.
What systems are affected by CVE-2026-41481?
This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, web content ingestion pipelines, document processing pipelines.
What is the CVSS score for CVE-2026-41481?
CVE-2026-41481 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.22%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0025 Exfiltration via Cyber Means AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation Compliance Controls Affected
What are the technical details?
Original Advisory
LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the fetch with requests.get() with redirects enabled (the default). Because redirect targets were not revalidated, a URL pointing to an attacker-controlled server could redirect to internal, localhost, or cloud metadata endpoints, bypassing SSRF protections. The response body is parsed and returned as Document objects to the calling application code. Whether this constitutes a data exfiltration path depends on the application: if it exposes Document contents (or derivatives) back to the requester who supplied the URL, sensitive data from internal endpoints could be leaked. Applications that store or process Documents internally without returning raw content to the requester are not directly exposed to data exfiltration through this issue. This vulnerability is fixed in 1.1.2.
Exploitation Scenario
An attacker using a multi-tenant AI research platform powered by LangChain submits a document URL pointing to an attacker-controlled HTTP server (e.g., http://attacker.com/doc). The server returns a 301 redirect to http://169.254.169.254/latest/meta-data/iam/security-credentials/app-role. LangChain's requests.get() follows the redirect (default behavior), retrieves the AWS IAM role credentials (AccessKeyId, SecretAccessKey, Token), and parses the JSON response into a Document object. The application's summarization endpoint returns the Document text back to the user in the API response. The attacker now holds valid temporary AWS credentials and pivots to S3, DynamoDB, or other services holding training data, proprietary models, or customer PII.
Weaknesses (CWE)
CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Timeline
Related Vulnerabilities
CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same package: langchain CVE-2023-34540 9.8 LangChain: RCE via JiraAPIWrapper crafted input
Same package: langchain CVE-2023-29374 9.8 LangChain: RCE via prompt injection in LLMMathChain
Same package: langchain CVE-2023-34541 9.8 LangChain: RCE via unsafe load_prompt deserialization
Same package: langchain CVE-2023-36258 9.8 LangChain: unauthenticated RCE via code injection
Same package: langchain