Summary
Server-Side Request Forgery (SSRF) in ChatOpenAI Image Token Counting
The ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input.
Severity
Low - The vulnerability allows SSRF attacks but has limited impact due to:
- Responses are not returned to the attacker (blind SSRF)
- Default 5-second timeout limits resource exhaustion
- Non-image responses fail at PIL image parsing
Details
The vulnerable code path:
get_num_tokens_from_messages()processes messages containingimage_urlcontent blocks- For images without
detail: "low", it calls_url_to_size()to fetch the image and compute token counts _url_to_size()performshttpx.get(image_source)on any URL without validation- Prior to the patch, there was no SSRF protection, size limits, or explicit timeout
File: libs/partners/openai/langchain_openai/chat_models/base.py
Workarounds
If you cannot upgrade immediately:
- Sanitize input: Validate and filter
image_urlvalues before passing messages to token counting or model invocation - Use network controls: Implement egress filtering to prevent outbound requests to private IPs
Impact
An attacker who can control image URLs passed to get_num_tokens_from_messages() can:
- Trigger HTTP requests from the application server to arbitrary internal or external URLs
- Cause the server to access internal network resources (private IPs, cloud metadata endpoints)
- Cause minor resource consumption through image downloads (bounded by timeout)
Note: This vulnerability occurs during token counting, which may happen outside of model invocation (e.g., in logging, metrics, or token budgeting flows).
Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.
CVE-2026-26013 has a CVSS score of 3.7 (Low). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.2.11); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The vulnerability has been patched in langchain-openai==1.1.9 (requires langchain-core==1.2.11).
The patch adds:
- SSRF validation using
langchain_core._security._ssrf_protection.validate_safe_url()to block:- Private IP ranges (RFC 1918, loopback, link-local)
- Cloud metadata endpoints (169.254.169.254, etc.)
- Invalid URL schemes
- Explicit size limits (50 MB maximum, matching OpenAI's payload limit)
- Explicit timeout (5 seconds, same as
httpx.getdefault) - Allow disabling image fetching via
allow_fetching_images=Falseparameter
Frequently Asked Questions
- What is CVE-2026-26013? CVE-2026-26013 is a low-severity server-side request forgery (SSRF) vulnerability in langchain-core (pip), affecting versions < 1.2.11. It is fixed in 1.2.11. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
- How severe is CVE-2026-26013? CVE-2026-26013 has a CVSS score of 3.7 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of langchain-core are affected by CVE-2026-26013? langchain-core (pip) versions < 1.2.11 is affected.
- Is there a fix for CVE-2026-26013? Yes. CVE-2026-26013 is fixed in 1.2.11. Upgrade to this version or later.
- Is CVE-2026-26013 exploitable, and should I be worried? Whether CVE-2026-26013 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-26013 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-26013? Upgrade
langchain-coreto 1.2.11 or later.