CVE-2026-26013
📋 TL;DR
LangChain versions before 1.2.11 contain a Server-Side Request Forgery (SSRF) vulnerability in the ChatOpenAI.get_num_tokens_from_messages() method. Attackers can exploit this by providing malicious image URLs in user input, causing the application to make unauthorized requests to internal or external systems. This affects any LangChain application using vision-enabled models with the vulnerable method.
💻 Affected Systems
- LangChain
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of internal network services, data exfiltration from internal systems, or lateral movement to sensitive infrastructure via SSRF.
Likely Case
Information disclosure from internal services, denial of service by flooding internal endpoints, or reconnaissance of internal network topology.
If Mitigated
Limited impact if network segmentation restricts outbound requests and input validation is implemented at application layer.
🎯 Exploit Status
Exploitation requires user input containing image URLs to be processed by the vulnerable method.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.11
Vendor Advisory: https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r
Restart Required: No
Instructions:
1. Update LangChain to version 1.2.11 or later. 2. Run: pip install --upgrade langchain-core>=1.2.11. 3. Verify no breaking changes in your application.
🔧 Temporary Workarounds
Input Validation
allImplement strict validation of image URLs before passing to get_num_tokens_from_messages() method.
Network Restrictions
allConfigure firewall rules to restrict outbound HTTP requests from the application server.
🧯 If You Can't Patch
- Implement strict input validation to reject or sanitize image URLs from user input.
- Deploy network segmentation to restrict the application server's ability to make outbound HTTP requests.
🔍 How to Verify
Check if Vulnerable:
Check if your LangChain version is below 1.2.11 and if you use ChatOpenAI.get_num_tokens_from_messages() with vision models.Check Version:
python -c "import langchain_core; print(langchain_core.__version__)"Verify Fix Applied:
Confirm LangChain version is 1.2.11 or higher and test that malicious image URLs no longer trigger external requests.📡 Detection & Monitoring
Log Indicators:
- Unexpected HTTP requests from application to internal/external URLs
- Failed URL fetch attempts in application logs
Network Indicators:
- Outbound HTTP requests from application server to unusual destinations
- Requests to internal IP ranges from application
SIEM Query:
source="application_logs" AND ("get_num_tokens_from_messages" OR "image_url") AND (http_request OR url_fetch)