Description
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.
Published: 2026-04-24
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: SSRF via DNS rebinding
Action: Patch
AI Analysis

Impact

This vulnerability resides in LangChain’s langchain-openai module. Prior to version 1.1.14 the helper that counts image tokens performs initial SSRF validation on a URL and then fetches the image in a separate network operation with an independent DNS lookup. The separation creates a time‑of‑check to time‑of‑use window; an attacker who supplies a domain that resolves to a public IP during validation can later cause the fetch to resolve to a private or localhost IP, enabling SSRF. The weakness is a classic DNS rebinding flaw (CWE‑918) and a time‑of‑check to time‑of‑use flaw (CWE‑367). The impact is that an attacker can cause the application to make internal network requests that it was not intended to perform.

Affected Systems

LangChain – specifically the langchain-openai package – is affected in all releases prior to 1.1.14. The fix was introduced in version 1.1.14 and later releases protect against the DNS rebinding window.

Risk and Exploitability

The CVSS score is 3.1, indicating low overall severity, and the EPSS score is less than 1%, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the flaw relies on control of a DNS name that can be made to resolve to internal addresses, it is most likely to be exploited by an attacker who can supply image URLs or otherwise invoke the token counting function with a crafted hostname.

Generated by OpenCVE AI on April 28, 2026 at 19:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade langchain-openai to version 1.1.14 or later, which closes the DNS rebinding window.
  • If an upgrade is not immediately possible, restrict the image token counting feature to URLs whose hosts are known, trusted domains and block any DNS responses that resolve to private addresses such as 10.x.x.x, 172.16‑172.31.x, 192.168.x.x and 127.0.0.1.
  • Implement an additional post‑fetch validation step that re‑resolves the hostname and verifies that the final IP address is not internal; reject the request if it is.

Generated by OpenCVE AI on April 28, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r7w7-9xr2-qq2r langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Langchain
Langchain langchain-openai
CPEs cpe:2.3:a:langchain:langchain-openai:*:*:*:*:*:*:*:*
Vendors & Products Langchain
Langchain langchain-openai

Tue, 28 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 threat_severity

Low

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Langchain-ai
Langchain-ai langchain
Vendors & Products Langchain-ai
Langchain-ai langchain

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.
Title angchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Langchain Langchain-openai
Langchain-ai Langchain
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-27T13:40:42.065Z

Reserved: 2026-04-20T16:14:19.007Z

Link: CVE-2026-41488

cve-icon Vulnrichment

Updated: 2026-04-27T13:40:38.447Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T21:16:19.637

Modified: 2026-04-28T18:17:09.553

Link: CVE-2026-41488

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-24T20:57:25Z

Links: CVE-2026-41488 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:00:19Z

Weaknesses