CVE-2026-26013 Overview
CVE-2026-26013 is a Server-Side Request Forgery (SSRF) vulnerability in LangChain, a popular framework for building agents and LLM-powered applications. Prior to version 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger SSRF attacks by providing malicious image URLs in user input, potentially enabling unauthorized access to internal network resources.
Critical Impact
Attackers can exploit unvalidated image URL processing to perform SSRF attacks, potentially accessing internal services, cloud metadata endpoints, or sensitive network resources from the server-side context.
Affected Products
- LangChain versions prior to 1.2.11
- LangChain applications using vision-enabled OpenAI models
- Systems utilizing ChatOpenAI.get_num_tokens_from_messages() with user-controlled image inputs
Discovery Timeline
- 2026-02-10 - CVE-2026-26013 published to NVD
- 2026-02-11 - Last updated in NVD database
Technical Details for CVE-2026-26013
Vulnerability Analysis
This vulnerability exists within the token counting functionality of LangChain's ChatOpenAI integration. When processing messages that contain image content for vision-enabled models (such as GPT-4 Vision), the get_num_tokens_from_messages() method directly fetches image URLs provided in the message payload without performing any validation or sanitization.
The vulnerability is classified under CWE-918 (Server-Side Request Forgery), indicating that the application can be manipulated into making HTTP requests to arbitrary destinations controlled by the attacker. This is particularly concerning in LangChain deployments where user input is processed through the token counting mechanism.
Root Cause
The root cause lies in the lack of URL validation before fetching external resources. The get_num_tokens_from_messages() function accepts image URLs as part of the message content structure and attempts to retrieve them to accurately calculate token usage. Without proper validation, any URL—including those pointing to internal network addresses, localhost services, or cloud provider metadata endpoints—can be accessed by the server.
Attack Vector
The attack vector is network-based and can be exploited remotely. An attacker can craft malicious input containing specially crafted image_url values targeting internal resources. When LangChain processes this input through the vulnerable token counting method, the server will make requests to the attacker-specified URLs.
Typical SSRF exploitation scenarios include:
- Accessing cloud metadata services (e.g., http://169.254.169.254/latest/meta-data/)
- Probing internal network services and infrastructure
- Bypassing firewall restrictions by making requests from the trusted server context
- Exfiltrating sensitive data from internal endpoints
For detailed technical information about this vulnerability, see the GitHub Security Advisory and the security patch commit.
Detection Methods for CVE-2026-26013
Indicators of Compromise
- Unusual outbound HTTP requests from LangChain application servers to internal IP ranges (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints such as 169.254.169.254 from application servers
- Unexpected network connections originating from the LangChain service to non-standard ports
- Log entries showing image URL processing with internal or suspicious destination addresses
Detection Strategies
- Monitor network traffic from LangChain application servers for connections to internal IP ranges that should not be accessed
- Implement web application firewall (WAF) rules to detect SSRF payloads in image URL parameters
- Enable verbose logging for the ChatOpenAI class to capture all image URLs being processed
- Deploy network segmentation monitoring to detect lateral movement attempts via SSRF
Monitoring Recommendations
- Configure alerting on outbound requests from application servers to RFC 1918 private address spaces
- Monitor for DNS resolution requests to internal hostnames from the LangChain service
- Implement request logging at the network egress point to capture all outbound HTTP connections
- Review application logs for error messages related to failed internal resource access attempts
How to Mitigate CVE-2026-26013
Immediate Actions Required
- Upgrade LangChain to version 1.2.11 or later immediately
- Audit existing LangChain deployments for usage of ChatOpenAI.get_num_tokens_from_messages() with user-controlled input
- Implement network-level controls to restrict outbound connections from LangChain application servers
- Review logs for any evidence of prior exploitation attempts
Patch Information
The vulnerability has been fixed in LangChain version 1.2.11. The security patch introduces proper URL validation to prevent SSRF attacks through the token counting mechanism. Organizations should upgrade to this version or later to remediate the vulnerability.
Workarounds
- Implement input validation to sanitize and validate all image URLs before passing them to LangChain functions
- Deploy network egress filtering to block requests to internal IP ranges and sensitive endpoints from the application server
- Use an allowlist approach for image URL domains if possible, restricting to known trusted sources
- Consider proxying image requests through a dedicated service with strict URL validation
# Example network-level mitigation using iptables to block internal network access
# Block access to common internal ranges from the application server
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
