{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26013", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T21:36:29.554Z", "datePublished": "2026-02-10T21:51:07.741Z", "dateUpdated": "2026-02-11T21:26:34.029Z"}, "containers": {"cna": {"title": "LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r"}, {"name": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565"}, {"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11"}], "affected": [{"vendor": "langchain-ai", "product": "langchain", "versions": [{"version": "< 1.2.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-10T21:51:07.741Z"}, "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11."}], "source": {"advisory": "GHSA-2g6r-c272-w58r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T21:26:20.888102Z", "id": "CVE-2026-26013", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T21:26:34.029Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26013", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T21:26:20.888102Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T21:26:27.378Z"}}], "cna": {"title": "LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages", "source": {"advisory": "GHSA-2g6r-c272-w58r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "langchain-ai", "product": "langchain", "versions": [{"status": "affected", "version": "< 1.2.11"}]}], "references": [{"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r", "name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565", "name": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11", "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-10T21:51:07.741Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26013", "state": "PUBLISHED", "dateUpdated": "2026-02-11T21:26:34.029Z", "dateReserved": "2026-02-09T21:36:29.554Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-10T21:51:07.741Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:langchain:langchain_core:*:*:*:*:*:python:*:*", "matchCriteriaId": "5CCC1EB9-D45D-465A-96B4-2E6D1DE724FC", "versionEndExcluding": "1.2.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11."}, {"lang": "es", "value": "LangChain es un framework para construir agentes y aplicaciones impulsadas por LLM. Antes de la versi\u00f3n 1.2.11, el m\u00e9todo ChatOpenAI.get_num_tokens_from_messages() obtiene valores arbitrarios de image_url sin validaci\u00f3n al calcular el recuento de tokens para modelos habilitados para visi\u00f3n. Esto permite a los atacantes desencadenar ataques de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) al proporcionar URLs de imagen maliciosas en la entrada del usuario. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 1.2.11."}], "id": "CVE-2026-26013", "lastModified": "2026-03-17T20:30:07.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-10T22:17:00.453", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "langchain: SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages", "id": "2438772", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438772"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-918", "details": ["A flaw was found in LangChain. The ChatOpenAI.get_num_tokens_from_messages method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This issue allows an attacker to cause Server-Side Request Forgery (SSRF) by providing malicious image URLs in user input."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, manually validate that all image_url fields use the HTTP/HTTPS protocols, point to allowed public domains and do not resolve to internal IP addresses before passing messages to ChatOpenAI or any LangChain model."}, "name": "CVE-2026-26013", "package_state": [{"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "openshift-lightspeed/lightspeed-service-api-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-24/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-25/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-26/lightspeed-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-llama-stack-core-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-trustyai-ragas-lls-provider-dsp-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-02-10T21:51:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26013\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26013\nhttps://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565\nhttps://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11\nhttps://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r"], "statement": "To exploit this issue, an attacker needs to be able to provide a malicious image_url to a LangChain instance. However, the server responses are not returned to the attacker (blind SSRF), increasing the complexity of exploitation. Additionally, an attacker can cause the server to fetch large files, potentially resulting in a high consumption of bandwidth or CPU, causing a limited impact to availability but not a complete denial of service. Due to these reasons, this vulnerability has been rated with a low impact.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.11)"}}], "product": "langchain", "vendor": "langchain-ai"}], "analysis": {"en": {"generated_at": "2026-04-18T12:42:37.909377+00:00", "value": {"mitigation_remediation": ["Upgrade the LangChain library to version 1.2.11 or later, which fixes the SSRF flaw identified as CWE\u2011918.", "If an upgrade is not immediately possible, mitigate CWE\u2011918 by validating image URLs passed to ChatOpenAI.get_num_tokens_from_messages(), restricting them to approved domains or protocols.", "Limit or disable vision\u2011enabled features where third\u2011party image URLs are unnecessary, thereby reducing opportunities for the CWE\u2011918 SSRF vulnerability."], "summary": {"action": "Patch", "impact": "Server\u2013Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the LangChain product from the vendor langchain\u2011ai. All releases before version 1.2.11 are impacted. Deployments that use older versions of the LangChain core library without applying the 1.2.11 patch are susceptible.", "description_and_impact": "LangChain is a framework used to build agents and large\u2011language\u2011model powered applications. In versions prior to 1.2.11 the ChatOpenAI.get_num_tokens_from_messages() routine calculates token counts for vision\u2011enabled models by retrieving the image_url field of any supplied messages without performing validation. This flaw allows an attacker to supply a crafted image_url that points to any internal or external endpoint, enabling a Server\u2011Side Request Forgery attack. The vulnerability can be leveraged to request arbitrary resources from the host system, potentially exposing sensitive internal services or credentials, compromising both confidentiality and integrity.", "risk_and_exploitability": "According to the CVSS score of 3.7, the severity is currently classified as low. The EPSS score of less than 1% indicates a very small probability of exploitation at this time, and the vulnerability is not part of the CISA KEV catalog. Nevertheless, the attack path is straightforward: an attacker who can supply arbitrary messages to the ChatOpenAI component can embed a malicious image_url. When the application computes token counts, the library will follow that URL, allowing the attacker to reach internal hosts or services. No special privileges or exploits are required beyond the ability to craft input to the affected function."}}}}, "created": "2026-02-11T21:46:25.691674+00:00", "updated": "2026-04-18T12:45:45.675486+00:00", "vendors": ["langchain-ai", "langchain-ai$PRODUCT$langchain"]}