Description
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.
Published: 2026-02-10
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Server–Side Request Forgery
Action: Patch
AI Analysis

Impact

LangChain is a framework used to build agents and large‑language‑model powered applications. In versions prior to 1.2.11 the ChatOpenAI.get_num_tokens_from_messages() routine calculates token counts for vision‑enabled models by retrieving the image_url field of any supplied messages without performing validation. This flaw allows an attacker to supply a crafted image_url that points to any internal or external endpoint, enabling a Server‑Side Request Forgery attack. The vulnerability can be leveraged to request arbitrary resources from the host system, potentially exposing sensitive internal services or credentials, compromising both confidentiality and integrity.

Affected Systems

The vulnerability affects the LangChain product from the vendor langchain‑ai. All releases before version 1.2.11 are impacted. Deployments that use older versions of the LangChain core library without applying the 1.2.11 patch are susceptible.

Risk and Exploitability

According to the CVSS score of 3.7, the severity is currently classified as low. The EPSS score of less than 1% indicates a very small probability of exploitation at this time, and the vulnerability is not part of the CISA KEV catalog. Nevertheless, the attack path is straightforward: an attacker who can supply arbitrary messages to the ChatOpenAI component can embed a malicious image_url. When the application computes token counts, the library will follow that URL, allowing the attacker to reach internal hosts or services. No special privileges or exploits are required beyond the ability to craft input to the affected function.

Generated by OpenCVE AI on April 18, 2026 at 12:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LangChain library to version 1.2.11 or later, which fixes the SSRF flaw identified as CWE‑918.
  • If an upgrade is not immediately possible, mitigate CWE‑918 by validating image URLs passed to ChatOpenAI.get_num_tokens_from_messages(), restricting them to approved domains or protocols.
  • Limit or disable vision‑enabled features where third‑party image URLs are unnecessary, thereby reducing opportunities for the CWE‑918 SSRF vulnerability.

Generated by OpenCVE AI on April 18, 2026 at 12:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2g6r-c272-w58r LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages
History

Tue, 17 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Langchain
Langchain langchain Core
CPEs cpe:2.3:a:langchain:langchain_core:*:*:*:*:*:python:*:*
Vendors & Products Langchain
Langchain langchain Core

Thu, 12 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Langchain-ai
Langchain-ai langchain
Vendors & Products Langchain-ai
Langchain-ai langchain
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.
Title LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Langchain Langchain Core
Langchain-ai Langchain
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-11T21:26:34.029Z

Reserved: 2026-02-09T21:36:29.554Z

Link: CVE-2026-26013

cve-icon Vulnrichment

Updated: 2026-02-11T21:26:27.378Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T22:17:00.453

Modified: 2026-03-17T20:30:07.960

Link: CVE-2026-26013

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-10T21:51:07Z

Links: CVE-2026-26013 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:45:45Z

Weaknesses