CVE-2026-26013

CVE-2026-26013 is a low-severity server-side request forgery (SSRF) vulnerability in langchain-core (pip), affecting versions < 1.2.11. It is fixed in 1.2.11.

Summary

Server-Side Request Forgery (SSRF) in ChatOpenAI Image Token Counting

The ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input.

Severity

Low - The vulnerability allows SSRF attacks but has limited impact due to:

  • Responses are not returned to the attacker (blind SSRF)
  • Default 5-second timeout limits resource exhaustion
  • Non-image responses fail at PIL image parsing

Details

The vulnerable code path:

  1. get_num_tokens_from_messages() processes messages containing image_url content blocks
  2. For images without detail: "low", it calls _url_to_size() to fetch the image and compute token counts
  3. _url_to_size() performs httpx.get(image_source) on any URL without validation
  4. Prior to the patch, there was no SSRF protection, size limits, or explicit timeout

File: libs/partners/openai/langchain_openai/chat_models/base.py

Workarounds

If you cannot upgrade immediately:

  1. Sanitize input: Validate and filter image_url values before passing messages to token counting or model invocation
  2. Use network controls: Implement egress filtering to prevent outbound requests to private IPs

Impact

An attacker who can control image URLs passed to get_num_tokens_from_messages() can:

  • Trigger HTTP requests from the application server to arbitrary internal or external URLs
  • Cause the server to access internal network resources (private IPs, cloud metadata endpoints)
  • Cause minor resource consumption through image downloads (bounded by timeout)

Note: This vulnerability occurs during token counting, which may happen outside of model invocation (e.g., in logging, metrics, or token budgeting flows).

Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.

CVE-2026-26013 has a CVSS score of 3.7 (Low). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.2.11); upgrading removes the vulnerable code path.

Affected versions

langchain-core (< 1.2.11)

Security releases

langchain-core → 1.2.11 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

The vulnerability has been patched in langchain-openai==1.1.9 (requires langchain-core==1.2.11).

The patch adds:

  1. SSRF validation using langchain_core._security._ssrf_protection.validate_safe_url() to block:
    • Private IP ranges (RFC 1918, loopback, link-local)
    • Cloud metadata endpoints (169.254.169.254, etc.)
    • Invalid URL schemes
  2. Explicit size limits (50 MB maximum, matching OpenAI's payload limit)
  3. Explicit timeout (5 seconds, same as httpx.get default)
  4. Allow disabling image fetching via allow_fetching_images=False parameter

Frequently Asked Questions

  1. What is CVE-2026-26013? CVE-2026-26013 is a low-severity server-side request forgery (SSRF) vulnerability in langchain-core (pip), affecting versions < 1.2.11. It is fixed in 1.2.11. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
  2. How severe is CVE-2026-26013? CVE-2026-26013 has a CVSS score of 3.7 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of langchain-core are affected by CVE-2026-26013? langchain-core (pip) versions < 1.2.11 is affected.
  4. Is there a fix for CVE-2026-26013? Yes. CVE-2026-26013 is fixed in 1.2.11. Upgrade to this version or later.
  5. Is CVE-2026-26013 exploitable, and should I be worried? Whether CVE-2026-26013 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-26013 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-26013? Upgrade langchain-core to 1.2.11 or later.

Other vulnerabilities in langchain-core

CVE-2026-44843CVE-2026-34070CVE-2026-26013CVE-2025-68664CVE-2025-65106

Stop the waste.
Protect your environment with Kodem.