CVE-2026-41488: LangChain SSRF via DNS rebinding

CISO Take

LangChain's image URL handling in langchain-openai prior to 1.1.14 contains a TOCTOU/DNS rebinding flaw: the SSRF check and the actual HTTP fetch use separate DNS resolutions, creating a timing window for an attacker-controlled hostname to pass validation against a public IP and then rebind to an internal address before the real fetch. Despite a low CVSS score of 3.1, this CVE sits in the top 93rd EPSS percentile — attacker interest significantly outpaces its scored severity. Any LangChain deployment accepting user-supplied image URLs for multimodal token counting is exposed to internal network probing, including cloud metadata endpoints (169.254.169.254) that can yield IAM credentials. The CISA SSVC decision is TRACK; however, since the fix is a one-line upgrade to langchain-openai ≥1.1.14 and the secondary blast radius in cloud environments is severe, patch immediately and enforce egress filtering on AI application hosts to block RFC1918 destinations as a defense-in-depth layer.

Sources: NVD EPSS GitHub Advisory ATLAS CISA KEV

What is the risk?

Low CVSS (3.1) but deceptively consequential for cloud-hosted LangChain deployments. High attack complexity (requires DNS rebinding infrastructure and precise timing) and mandatory user interaction suppress the base score, but top-93rd-percentile EPSS signals active attacker reconnaissance. In environments running IMDSv1 on EC2, a successful rebind to 169.254.169.254 escalates this from a low-severity information disclosure to a credential theft chain — the actual blast radius is substantially higher than CVSS reflects. Organizations on older LangChain deployments with user-facing multimodal interfaces should treat this as moderate risk.

How does the attack unfold?

Infrastructure Setup

Attacker registers a domain and configures an authoritative DNS server with sub-1-second TTLs capable of switching A record resolutions between a benign public IP and a target internal address on demand.

AML.T0008.002

Malicious Input Delivery

Attacker submits a multimodal prompt to the LangChain application containing an image URL pointing to the attacker-controlled rebinding domain, triggering the vulnerable token-counting code path.

AML.T0049

DNS Rebinding

During SSRF validation the domain resolves to a benign public IP passing the check; before the actual HTTP fetch the attacker's DNS switches the resolution to a target internal address such as the EC2 metadata endpoint.

Internal Resource Exfiltration

LangChain fetches the now-rebinded URL, accessing internal services or cloud metadata endpoints and returning sensitive data — including IAM credentials — into the application context.

AML.T0025

Infrastructure Setup

Attacker registers a domain and configures an authoritative DNS server with sub-1-second TTLs capable of switching A record resolutions between a benign public IP and a target internal address on demand.

AML.T0008.002

Malicious Input Delivery

Attacker submits a multimodal prompt to the LangChain application containing an image URL pointing to the attacker-controlled rebinding domain, triggering the vulnerable token-counting code path.

AML.T0049

DNS Rebinding

During SSRF validation the domain resolves to a benign public IP passing the check; before the actual HTTP fetch the attacker's DNS switches the resolution to a target internal address such as the EC2 metadata endpoint.

Internal Resource Exfiltration

LangChain fetches the now-rebinded URL, accessing internal services or cloud metadata endpoints and returning sensitive data — including IAM credentials — into the application context.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LangChain	pip	—	No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1

3.1 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 5% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Advanced

What is the attack surface?

AV Network

AC High

PR None

UI Required

S Unchanged

C Low

I None

A None

What should I do?

5 steps

Patch: Upgrade langchain-openai to ≥1.1.14 — this is the primary fix.
Network egress control: Block outbound HTTP from AI application processes to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local (169.254.0.0/16) using host-based or network firewall rules.
Cloud hardening: Enable IMDSv2 (token-required mode) on all EC2 instances running AI workloads to prevent unauthenticated metadata endpoint access even if SSRF succeeds.
Input validation short-term workaround: If patching is delayed, validate image URLs against an allowlist of trusted domains before passing to LangChain.
Detection: Alert on outbound HTTP requests from AI application processes to internal IP ranges, especially 169.254.169.254 and 100.100.100.200 (Alibaba Cloud metadata).

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework Agent AML.T0008.002 - Domains AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2 - AI System Security Requirements

NIST AI RMF

MANAGE-2.2 - Mechanisms to Sustain AI Risk Management

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-41488?

LangChain's image URL handling in langchain-openai prior to 1.1.14 contains a TOCTOU/DNS rebinding flaw: the SSRF check and the actual HTTP fetch use separate DNS resolutions, creating a timing window for an attacker-controlled hostname to pass validation against a public IP and then rebind to an internal address before the real fetch. Despite a low CVSS score of 3.1, this CVE sits in the top 93rd EPSS percentile — attacker interest significantly outpaces its scored severity. Any LangChain deployment accepting user-supplied image URLs for multimodal token counting is exposed to internal network probing, including cloud metadata endpoints (169.254.169.254) that can yield IAM credentials. The CISA SSVC decision is TRACK; however, since the fix is a one-line upgrade to langchain-openai ≥1.1.14 and the secondary blast radius in cloud environments is severe, patch immediately and enforce egress filtering on AI application hosts to block RFC1918 destinations as a defense-in-depth layer.

Is CVE-2026-41488 actively exploited?

No confirmed active exploitation of CVE-2026-41488 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-41488?

1. Patch: Upgrade langchain-openai to ≥1.1.14 — this is the primary fix. 2. Network egress control: Block outbound HTTP from AI application processes to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local (169.254.0.0/16) using host-based or network firewall rules. 3. Cloud hardening: Enable IMDSv2 (token-required mode) on all EC2 instances running AI workloads to prevent unauthenticated metadata endpoint access even if SSRF succeeds. 4. Input validation short-term workaround: If patching is delayed, validate image URLs against an allowlist of trusted domains before passing to LangChain. 5. Detection: Alert on outbound HTTP requests from AI application processes to internal IP ranges, especially 169.254.169.254 and 100.100.100.200 (Alibaba Cloud metadata).

What systems are affected by CVE-2026-41488?

This vulnerability affects the following AI/ML architecture patterns: LLM agent frameworks, Multimodal AI pipelines, Agentic workflows with user-supplied content, RAG pipelines with image ingestion.

What is the CVSS score for CVE-2026-41488?

CVE-2026-41488 has a CVSS v3.1 base score of 3.1 (LOW). The EPSS exploitation probability is 0.16%.

What is the AI security impact?

Affected AI Architectures

LLM agent frameworksMultimodal AI pipelinesAgentic workflows with user-supplied contentRAG pipelines with image ingestion

MITRE ATLAS Techniques

AML.T0008.002 Domains

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.

Exploitation Scenario

An attacker submits a multimodal prompt to a LangChain-powered enterprise chatbot, embedding an image URL pointing to an attacker-controlled domain (rebind.attacker.com) configured with a 1-second TTL. During LangChain's SSRF validation pass, the attacker's authoritative DNS resolves the hostname to a legitimate public IP, clearing the check. The attacker's DNS server immediately switches the A record to 169.254.169.254. When LangChain performs the actual HTTP GET to count image tokens, the OS resolves the same hostname to the metadata endpoint and the request is forwarded, returning the EC2 instance's IAM role credentials. These credentials appear in application error logs or are directly surfaced in the LLM's context window, enabling AWS account compromise.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.