Server-Side Request Forgery (SSRF) in LangChain - #VU126568

 

Server-Side Request Forgery (SSRF) in LangChain - #VU126568

Published: April 20, 2026


Vulnerability identifier: #VU126568
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: LangChain
Affected software:
LangChain

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to server-side request forgery in HTMLHeaderTextSplitter.split_text_from_url() when following redirect responses during URL fetching. A remote attacker can supply a URL that redirects to an internal, localhost, or cloud metadata endpoint to disclose sensitive information.

User interaction is required because the application must process an attacker-supplied URL, and data exposure depends on the application returning parsed Document contents or derivatives to the requester. Cloud metadata endpoints that require special headers are not reachable through this issue, but headerless endpoints such as AWS IMDSv1 are reachable.


Remediation

Install security update from vendor's website.

Sources