SB2026042099 - Server-Side Request Forgery (SSRF) in LangChain



SB2026042099 - Server-Side Request Forgery (SSRF) in LangChain

Published: April 20, 2026

Security Bulletin ID SB2026042099
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-41488)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to disclose limited sensitive information.

The vulnerability exists due to server-side request forgery (SSRF) in the _url_to_size() helper when validating a URL and then fetching it with separate DNS resolution during image token counting. A remote attacker can use an attacker-controlled hostname with DNS rebinding to disclose limited sensitive information.

User interaction is required, and the issue is limited to blind probing based on timing or error behavior because fetched response content is not returned, logged, or otherwise exposed to the caller.


Remediation

Install update from vendor's website.