SB2026042098 - Server-Side Request Forgery (SSRF) in LangChain
Published: April 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-41481)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to server-side request forgery in HTMLHeaderTextSplitter.split_text_from_url() when following redirect responses during URL fetching. A remote attacker can supply a URL that redirects to an internal, localhost, or cloud metadata endpoint to disclose sensitive information.
User interaction is required because the application must process an attacker-supplied URL, and data exposure depends on the application returning parsed Document contents or derivatives to the requester. Cloud metadata endpoints that require special headers are not reachable through this issue, but headerless endpoints such as AWS IMDSv1 are reachable.
Remediation
Install update from vendor's website.