A Server‑Side Request Forgery (SSRF) vulnerability has been identified in the langchain/community package, affecting versions up to 1.1.13.
The flaw, tracked as CVE‑2026‑26019, has a moderate severity rating, with a CVSS 3.1 score, due on its potential to expose sensitive cloud metadata and internal infrastructure.
The vulnerability originates from the RecursiveUrlLoader class, which performs recursive web crawling. By default, it restricts crawling to the same domain using the preventOutside option.
However, the original implementation validated URLs using JavaScript’s String.startsWith() method, a non‑semantic check that allowed crafted subdomains (e.g., https://example.com.attacker.com) to bypass the restriction.
| CVE ID | CVSS Score | Description |
|---|---|---|
| CVE-2026-26019 | 5.3 (Medium) | SSRF in @langchain/community ≤ 1.1.13 via RecursiveUrlLoader, allowing crafted URLs to access internal services and cloud metadata (e.g., 169.254.169.254). Fixed in 1.1.14. |
Additionally, the crawler failed to block access to private or reserved IP addresses, allowing attackers to direct requests to cloud metadata endpoints (169.254.169.254), localhost, or internal networks (10.x, 172.16.x, 192.168.x).
GHSA‑gf3v‑fwqg‑4vh7 was published on GitHub Advisory and added to the National Vulnerability Database (NVD) last week.
This flaw enabled the compromise of IAM credentials, tokens, or internal service data in cloud‑hosted environments where LangChain runs with privileged network access.
An attacker who inserts malicious links into user‑generated or publicly crawled content could exploit this weakness to: Retrieve cloud metadata and credentials from AWS, GCP, or Azure.
Probe or interact with internal APIs and services accessible only within the private network. Cause data exfiltration through redirect chains.
The exploit requires minimal privileges but does depend on user interaction, such as the crawler fetching a manipulated page.
LangChain has fixed this flaw in version 1.1.14 by replacing the loose prefix check with strict origin validation via the URL API and introducing new SSRF filters in @langchain/core/utils/ssrf.
The update now blocks requests to private, loopback, cloud metadata, and non‑HTTP(S) schemes. Users unable to upgrade should avoid running RecursiveUrlLoader on untrusted content.
Isolate the component in environments that cannot reach internal networks or metadata services.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
