What is CVE-2026-26013?

CVE-2026-26013 is a low-severity vulnerability in Langchain-ai Langchain, classified under Server-Side Request Forgery (SSRF). CVSS score: 3.7/10. Published 2026-02-10.

How severe is CVE-2026-26013?

Low severity. CVSS v3 base score is 3.7 out of 10.

SSRF in Langchain-ai Langchain

CVE-2026-26013

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-e…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (5.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.7 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L.

Affected products

Langchain-ai Langchain — versions < 1.2.11

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r (x_refsource_CONFIRM)
https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565 (x_refsource_MISC)
https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-26013?: CVE-2026-26013 is a low-severity vulnerability in Langchain-ai Langchain, classified under Server-Side Request Forgery (SSRF). CVSS score: 3.7/10. Published 2026-02-10.
How severe is CVE-2026-26013?: Low severity. CVSS v3 base score is 3.7 out of 10.