Server-Side Request Forgery Vulnerability in LangChain Framework
CVE-2026-41481

6.5MEDIUM

Key Information:

Vendor: Langchain-ai
Status: Langchain-text-splitters
Vendor: CVE Published:; 24 April 2026

🔔 Create Langchain-ai Vulnerability Alert

What is CVE-2026-41481?

A server-side request forgery vulnerability exists in the LangChain framework, specifically within the HTMLHeaderTextSplitter class. Prior to version 1.1.2, the fetch method utilized requests.get() with redirects enabled without revalidating the redirection targets. This flaw allows for URLs that point to attacker-controlled servers to redirect to sensitive internal endpoints, potentially leading to unauthorized access and data leakage. Applications utilizing the framework in ways that expose Document contents back to requester systems could be at risk of data exfiltration. The vulnerability has been addressed in version 1.1.2, which mitigates the risks associated with improper URL validation and redirects.

Affected Version(s)

langchain-text-splitters < 1.1.2

References

https://github.com/langchain-ai/langchain/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41481 Data

JSON