{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26013", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T21:36:29.554Z", "datePublished": "2026-02-10T21:51:07.741Z", "dateUpdated": "2026-02-11T21:26:34.029Z"}, "containers": {"cna": {"title": "LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r"}, {"name": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565"}, {"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11"}], "affected": [{"vendor": "langchain-ai", "product": "langchain", "versions": [{"version": "< 1.2.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-10T21:51:07.741Z"}, "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11."}], "source": {"advisory": "GHSA-2g6r-c272-w58r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T21:26:20.888102Z", "id": "CVE-2026-26013", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T21:26:34.029Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26013", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T21:26:20.888102Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T21:26:27.378Z"}}], "cna": {"title": "LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages", "source": {"advisory": "GHSA-2g6r-c272-w58r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "langchain-ai", "product": "langchain", "versions": [{"status": "affected", "version": "< 1.2.11"}]}], "references": [{"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r", "name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565", "name": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11", "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-10T21:51:07.741Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26013", "state": "PUBLISHED", "dateUpdated": "2026-02-11T21:26:34.029Z", "dateReserved": "2026-02-09T21:36:29.554Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-10T21:51:07.741Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11."}], "id": "CVE-2026-26013", "lastModified": "2026-02-11T15:27:26.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-10T22:17:00.453", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565"}, {"source": "security-advisories@github.com", "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11"}, {"source": "security-advisories@github.com", "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "langchain: SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages", "id": "2438772", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438772"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-918", "details": ["A flaw was found in LangChain. The ChatOpenAI.get_num_tokens_from_messages method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This issue allows an attacker to cause Server-Side Request Forgery (SSRF) by providing malicious image URLs in user input."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, manually validate that all image_url fields use the HTTP/HTTPS protocols, point to allowed public domains and do not resolve to internal IP addresses before passing messages to ChatOpenAI or any LangChain model."}, "name": "CVE-2026-26013", "package_state": [{"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "openshift-lightspeed/lightspeed-service-api-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-24/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-25/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-26/lightspeed-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-llama-stack-core-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-trustyai-ragas-lls-provider-dsp-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-02-10T21:51:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26013\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26013\nhttps://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565\nhttps://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11\nhttps://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r"], "statement": "To exploit this issue, an attacker needs to be able to provide a malicious image_url to a LangChain instance. However, the server responses are not returned to the attacker (blind SSRF), increasing the complexity of exploitation. Additionally, an attacker can cause the server to fetch large files, potentially resulting in a high consumption of bandwidth or CPU, causing a limited impact to availability but not a complete denial of service. Due to these reasons, this vulnerability has been rated with a low impact.", "threat_severity": "Low"}

{"created": "2026-02-11T21:46:25.691674+00:00", "updated": "2026-02-11T21:46:25.691737+00:00", "vendors": ["langchain-ai", "langchain-ai$PRODUCT$langchain"]}