SB2026070113 - IBM Maximo AI Service update for LangChain



SB2026070113 - IBM Maximo AI Service update for LangChain

Published: July 1, 2026

Security Bulletin ID SB2026070113
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Partial DoS

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-26013)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to server-side request forgery (ssrf) in ChatOpenAI.get_num_tokens_from_messages() when processing messages containing user-supplied image_url values for token counting. A remote attacker can supply a crafted image URL to cause a denial of service.

The issue is blind SSRF, and token counting may occur outside of model invocation such as in logging, metrics, or token budgeting flows.


Remediation

Install update from vendor's website.