Server-Side Request Forgery Vulnerability in LangChain Framework
CVE-2026-27795

4.1MEDIUM

Key Information:

Vendor

Langchain-ai

Status
Langchainjs
Vendor
CVE Published:
25 February 2026

What is CVE-2026-27795?

Earlier versions of the LangChain framework, specifically those prior to 1.1.8, are susceptible to a redirect-based Server-Side Request Forgery (SSRF) bypass. The vulnerability exists within the RecursiveUrlLoader, which incorrectly validates the initial URL and permits the underlying fetch operation to follow redirects automatically. This behavior can enable a transition from a whitelisted public URL to an internal service or metadata endpoint without proper revalidation. As a recommended security measure, users are urged to upgrade to version 1.1.18, where all redirect hops are validated and automatic redirects are disabled, ensuring that the locations are confirmed safe before proceeding.

Affected Version(s)

langchainjs < 1.1.18

References

https://github.com/langchain-ai/langchainjs/security/advi...
x_refsource_CONFIRM
https://github.com/langchain-ai/langchainjs/security/advi...
x_refsource_MISC
https://github.com/langchain-ai/langchainjs/pull/9990
x_refsource_MISC

CVSS V3.1

Score:
4.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.