CVE-2026-27795 is a medium severity SSRF vulnerability affecting langchain-ai's langchainjs framework, specifically the RecursiveUrlLoader in the @langchain/community package versions before 1.1.18. The vulnerability stems from the loader's handling of HTTP redirects: while the initial URL is validated to ensure it points to a safe public resource, the underlying fetch operation automatically follows HTTP 3xx redirects without revalidating the new Location headers. This behavior allows an attacker to craft a URL that initially points to a safe external resource but redirects to internal network addresses or cloud metadata endpoints, bypassing SSRF protections. This can lead to unauthorized internal resource access or information disclosure. The vulnerability is a bypass of protections introduced in version 1.1.14 (CVE-2026-26019). The patch in version 1.1.18 addresses this by disabling automatic redirects (using redirect: "manual"), manually resolving and validating each redirect Location header with validateSafeUrl(), and enforcing a maximum redirect limit to prevent infinite loops. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N) indicates network attack vector, low attack complexity, requiring privileges and user interaction, with scope change and limited confidentiality impact. No known exploits are reported in the wild as of publication. This vulnerability is critical for applications that use langchainjs to fetch external data, especially those deployed in environments with sensitive internal services accessible via HTTP.

The primary impact of this SSRF vulnerability is unauthorized access to internal or cloud metadata endpoints that are normally inaccessible from the public internet. Attackers exploiting this flaw can potentially retrieve sensitive information such as internal service data, credentials, or configuration details exposed via internal HTTP endpoints. This can lead to further compromise of the affected environment, including lateral movement or privilege escalation. Although the CVSS score indicates a medium severity with limited confidentiality impact, the actual risk depends on the internal network architecture and the sensitivity of accessible endpoints. Organizations running langchainjs in cloud or enterprise environments with internal-only services exposed over HTTP are at higher risk. The vulnerability requires an attacker to have some level of privileges (PR:L) and user interaction (UI:R), which somewhat limits exploitation scope. However, given the increasing adoption of langchainjs for LLM-powered applications, the potential for SSRF to expose internal resources poses a significant security concern, especially in multi-tenant or cloud environments.

To mitigate this vulnerability, organizations should upgrade the @langchain/community package to version 1.1.18 or later, which includes the fix that disables automatic HTTP redirects and enforces validation of each redirect target URL. This ensures that no redirect can bypass the safe URL validation logic. Additionally, developers should audit their use of RecursiveUrlLoader and any other components that perform HTTP fetches with redirects to confirm they do not automatically follow redirects without validation. Implement network-level controls such as firewall rules or egress filtering to restrict outbound HTTP requests from application servers to only approved external endpoints, preventing SSRF exploitation from reaching internal services. Monitoring and logging HTTP requests and redirects can help detect suspicious redirect chains indicative of SSRF attempts. Finally, applying the principle of least privilege to the application environment and isolating sensitive internal services can reduce the impact if SSRF is exploited.