CVE-2026-26013
Server-Side Request Forgery (SSRF) vulnerability in langchain-core (PyPI)
What is CVE-2026-26013 About?
This vulnerability is a Server-Side Request Forgery (SSRF) in `ChatOpenAI.get_num_tokens_from_messages()`, where arbitrary `image_url` values are fetched without validation for token counting. Attackers can provide malicious image URLs to trigger requests to internal or external hosts. While the impact is limited (blind SSRF, timeout, non-image response failures), it is moderately easy to exploit by providing a crafted URL.
Affected Software
Technical Details
The ChatOpenAI.get_num_tokens_from_messages() method processes messages with image_url content blocks. For images that do not specify detail: "low", the method calls _url_to_size() to fetch the image and compute token counts. Critically, _url_to_size() performs an httpx.get(image_source) on any provided URL without prior validation. This allows an attacker to inject an image_url pointing to internal network resources (e.g., cloud metadata endpoints like 169.254.169.254, private IP ranges, or internal services). While responses are not returned to the attacker (blind SSRF), the vulnerability enables the application server to make arbitrary HTTP requests during the token counting process.
What is the Impact of CVE-2026-26013?
Successful exploitation may allow attackers to trigger HTTP requests from the application server to arbitrary internal or external URLs, potentially accessing internal network resources or consuming minor server resources.
What is the Exploitability of CVE-2026-26013?
Exploitation requires an attacker to control the image_url values passed to the get_num_tokens_from_messages() method. This might involve submitting a crafted message as user input to an application that processes it. Authentication requirements depend on the specific application's design, but if the image URL input is user-facing, an unauthenticated attacker could potentially exploit it. The attack is remote, as the attacker injects a URL that the remote server then attempts to fetch. The complexity is low as it primarily involves providing a malicious URL. Special conditions include the 'blind' nature of the SSRF (no response to attacker) and a default 5-second timeout, which limits the potential for resource exhaustion but not the request itself. The primary risk factor is the processing of untrusted image_url values without proper validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-26013?
Available Upgrade Options
- langchain-core
- <1.2.11 → Upgrade to 1.2.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565
- https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11
- https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r
- https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565
- https://nvd.nist.gov/vuln/detail/CVE-2026-26013
- https://github.com/langchain-ai/langchain
- https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r
- https://osv.dev/vulnerability/GHSA-2g6r-c272-w58r
- https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11
What are Similar Vulnerabilities to CVE-2026-26013?
Similar Vulnerabilities: CVE-2026-26019 , CVE-2026-25765 , CVE-2023-45802 , CVE-2022-26134 , CVE-2021-44228
