CVE-2026-26013

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565	Patch
https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11	Product Release Notes
https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:langchain:langchain_core:*:*:*:*:*:python:*:*

History

No history.

Information

Published : 2026-02-10 22:17

Updated : 2026-03-17 20:30

NVD link : CVE-2026-26013

Mitre link : CVE-2026-26013

CVE.ORG link : CVE-2026-26013

JSON object : View

Products Affected

langchain

langchain_core

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-26013", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.2}]}, "published": "2026-02-10T22:17:00.453", "references": [{"url": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11."}, {"lang": "es", "value": "LangChain es un framework para construir agentes y aplicaciones impulsadas por LLM. Antes de la versi\u00f3n 1.2.11, el m\u00e9todo ChatOpenAI.get_num_tokens_from_messages() obtiene valores arbitrarios de image_url sin validaci\u00f3n al calcular el recuento de tokens para modelos habilitados para visi\u00f3n. Esto permite a los atacantes desencadenar ataques de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) al proporcionar URLs de imagen maliciosas en la entrada del usuario. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 1.2.11."}], "lastModified": "2026-03-17T20:30:07.960", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:langchain:langchain_core:*:*:*:*:*:python:*:*", "vulnerable": true, "matchCriteriaId": "5CCC1EB9-D45D-465A-96B4-2E6D1DE724FC", "versionEndExcluding": "1.2.11"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}