CVE-2026-41488: CWE-918: Server-Side Request Forgery (SSRF) in langchain-ai langchain-openai
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.
AI Analysis
Technical Summary
The vulnerability in langchain-openai before version 1.1.14 involves a TOCTOU race condition in the _url_to_size() helper function used for image token counting. This function validates URLs to prevent SSRF but performs the validation and the actual fetch in separate network operations with independent DNS resolutions. An attacker can exploit this by controlling a hostname that resolves to a public IP during validation and then to a private or localhost IP during the fetch, bypassing SSRF protections. This is classified as CWE-918 (Server-Side Request Forgery). The CVSS 3.1 base score is 3.1, reflecting low impact with network attack vector, high attack complexity, no privileges required, and user interaction required. No official remediation or patch is currently documented.
Potential Impact
The impact is limited to potential SSRF attacks that could allow an attacker to make the server perform unauthorized requests to internal or localhost network resources. The CVSS score of 3.1 indicates low confidentiality impact and no integrity or availability impact. There are no known exploits in the wild, and the vulnerability requires user interaction and has high attack complexity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerability affects versions prior to 1.1.14, upgrading to version 1.1.14 or later (if available) is recommended once confirmed. Until an official fix is released, consider restricting outbound network requests from the affected component or implementing additional network-level protections to prevent SSRF exploitation.
CVE-2026-41488: CWE-918: Server-Side Request Forgery (SSRF) in langchain-ai langchain-openai
Description
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.
CVSS v3.1
Score 3.1low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in langchain-openai before version 1.1.14 involves a TOCTOU race condition in the _url_to_size() helper function used for image token counting. This function validates URLs to prevent SSRF but performs the validation and the actual fetch in separate network operations with independent DNS resolutions. An attacker can exploit this by controlling a hostname that resolves to a public IP during validation and then to a private or localhost IP during the fetch, bypassing SSRF protections. This is classified as CWE-918 (Server-Side Request Forgery). The CVSS 3.1 base score is 3.1, reflecting low impact with network attack vector, high attack complexity, no privileges required, and user interaction required. No official remediation or patch is currently documented.
Potential Impact
The impact is limited to potential SSRF attacks that could allow an attacker to make the server perform unauthorized requests to internal or localhost network resources. The CVSS score of 3.1 indicates low confidentiality impact and no integrity or availability impact. There are no known exploits in the wild, and the vulnerability requires user interaction and has high attack complexity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerability affects versions prior to 1.1.14, upgrading to version 1.1.14 or later (if available) is recommended once confirmed. Until an official fix is released, consider restricting outbound network requests from the affected component or implementing additional network-level protections to prevent SSRF exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-20T16:14:19.007Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ebdedf87115cfb68748364
Added to database: 4/24/2026, 9:21:35 PM
Last enriched: 5/2/2026, 7:31:42 AM
Last updated: 6/8/2026, 7:07:01 PM
Views: 193
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.