SB2026042098 - Server-Side Request Forgery (SSRF) in LangChain



SB2026042098 - Server-Side Request Forgery (SSRF) in LangChain

Published: April 20, 2026

Security Bulletin ID SB2026042098
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-41481)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to server-side request forgery in HTMLHeaderTextSplitter.split_text_from_url() when following redirect responses during URL fetching. A remote attacker can supply a URL that redirects to an internal, localhost, or cloud metadata endpoint to disclose sensitive information.

User interaction is required because the application must process an attacker-supplied URL, and data exposure depends on the application returning parsed Document contents or derivatives to the requester. Cloud metadata endpoints that require special headers are not reachable through this issue, but headerless endpoints such as AWS IMDSv1 are reachable.


Remediation

Install update from vendor's website.