CVE-2026-26013 is a Server-Side Request Forgery (SSRF) vulnerability identified in the langchain framework, specifically affecting versions prior to 1.2.11. LangChain is a popular framework used to build agents and applications powered by large language models (LLMs), including those with vision capabilities. The vulnerability exists in the ChatOpenAI.get_num_tokens_from_messages() method, which is responsible for calculating token counts from messages. When processing vision-enabled models, this method fetches image URLs provided in user input without proper validation or sanitization. An attacker can exploit this by submitting malicious image URLs that cause the server to initiate HTTP requests to arbitrary locations. This can lead to internal network scanning, unauthorized access to internal services, or denial of service if the server is tricked into making numerous or large requests. The vulnerability is classified under CWE-918 (SSRF). The CVSS v3.1 base score is 3.7, reflecting a low severity primarily due to the requirement that the attacker can supply input that triggers the vulnerable method and the high attack complexity. No privileges or user interaction are required, but the impact on confidentiality and integrity is rated none, with only a low impact on availability. There are no known exploits in the wild at the time of publication. The issue is resolved in langchain version 1.2.11, where input validation and URL fetching logic have been improved to prevent SSRF attacks. Organizations using langchain for LLM-powered applications, especially those integrating vision models, should upgrade to the patched version to eliminate this risk.

For European organizations, the impact of this SSRF vulnerability is generally low but context-dependent. Organizations using langchain versions prior to 1.2.11 in production AI applications that process user-supplied image URLs are at risk of having their internal networks probed or accessed by attackers. This could expose sensitive internal services or lead to denial of service conditions if exploited at scale. While the vulnerability does not directly compromise data confidentiality or integrity, it can be leveraged as a foothold for further attacks or reconnaissance within internal networks. Industries with sensitive internal infrastructure, such as finance, healthcare, or critical infrastructure, could face increased risk if attackers use SSRF to map internal services or bypass network controls. The lack of known exploits reduces immediate risk, but the widespread adoption of langchain in AI applications means that unpatched deployments could be targeted in the future. The vulnerability's low CVSS score suggests limited direct damage, but its presence in AI frameworks used for automation and decision-making could indirectly affect service availability or trustworthiness.

1. Upgrade all langchain deployments to version 1.2.11 or later immediately to apply the official fix that validates and sanitizes image URLs. 2. Implement network-level controls such as egress filtering and web application firewalls (WAFs) to restrict outbound HTTP requests from AI application servers to only trusted destinations. 3. Employ input validation and sanitization at the application layer to reject or sanitize user-supplied URLs before processing. 4. Monitor logs for unusual outbound requests or patterns indicative of SSRF exploitation attempts. 5. Use network segmentation to isolate AI application servers from sensitive internal resources to limit the impact of any SSRF exploitation. 6. Conduct regular security assessments and penetration tests focusing on SSRF and related vulnerabilities in AI-powered services. 7. Educate developers and security teams about SSRF risks in AI frameworks and enforce secure coding practices when handling external resources.