Web Crawler Vulnerability in LangChain Framework by LangChain AI
CVE-2026-26019

4.1MEDIUM

Key Information:

Vendor

Langchain-ai

Status
Langchainjs
Vendor
CVE Published:
11 February 2026

What is CVE-2026-26019?

The LangChain framework's RecursiveUrlLoader class contains a vulnerability that allows an attacker to exploit the URL comparison method used for crawling. The crawler's preventOutside option fails to adequately restrict linking to the same site due to its reliance on String.startsWith(), which does not ensure semantic URL validation. This oversight enables attackers to craft links with shared string prefixes, leading the crawler to venture into unauthorized domains. Additionally, it lacks validation against private or reserved IP addresses, allowing access to sensitive cloud metadata services or internal infrastructures. This issue was resolved in version 1.1.14.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

langchainjs < 1.1.14

References

https://github.com/langchain-ai/langchainjs/security/advi...
x_refsource_CONFIRM
https://github.com/langchain-ai/langchainjs/pull/9990
x_refsource_MISC
https://github.com/langchain-ai/langchainjs/commit/d5e3db...
x_refsource_MISC

CVSS V3.1

Score:
4.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.