SB2026042099 - Server-Side Request Forgery (SSRF) in LangChain
Published: April 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-41488)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose limited sensitive information.
The vulnerability exists due to server-side request forgery (SSRF) in the _url_to_size() helper when validating a URL and then fetching it with separate DNS resolution during image token counting. A remote attacker can use an attacker-controlled hostname with DNS rebinding to disclose limited sensitive information.
User interaction is required, and the issue is limited to blind probing based on timing or error behavior because fetched response content is not returned, logged, or otherwise exposed to the caller.
Remediation
Install update from vendor's website.