LangChain: Langchain Community SSRF Bypass Vulnerability Exposes Internal Services to Unauthorized Access

Critical SSRF Vulnerability Patched in LangChain’s @langchain/community Package

The LangChain development team has released a security update for the @langchain/community package to fix a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-26019) in the RecursiveUrlLoader class. The flaw, rated 6.1 (Moderate), allowed attackers to bypass domain restrictions and access internal network resources or cloud metadata services.

The vulnerability stemmed from weak URL validation in the RecursiveUrlLoader, which relied on a simple String.startsWith() check rather than strict origin validation. This enabled attackers to craft malicious domains (e.g., example.com.attacker.com) that evaded the preventOutside restriction, designed to keep crawlers within the same domain. Additionally, the utility lacked validation against private IP ranges, allowing attackers to force requests to internal services, localhost, or cloud metadata endpoints commonly used to steal IAM credentials and session tokens from AWS, Google Cloud, and Azure.

Affected versions (≤ 1.1.13) have been patched in version 1.1.14, which introduces two key fixes:

1. Strict origin validation using the URL API, ensuring exact matches for scheme, hostname, and port.
2. A new SSRF validation module that blocks requests to private IP ranges, loopback addresses, and cloud metadata endpoints (e.g., 169.254.169.254).

Developers are advised to upgrade immediately or mitigate risks by avoiding untrusted content in RecursiveUrlLoader or isolating applications in restricted network environments.

Source: https://gbhackers.com/langchain-community-ssrf-bypass-vulnerability/

LangChain TPRM report: https://www.rankiteo.com/company/langchain

"id": "lan1771309474",
"linkid": "langchain",
"type": "Vulnerability",
"date": "2/2026",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"

{'affected_entities': [{'customers_affected': 'Developers using '
                                              '@langchain/community ≤ 1.1.13',
                        'industry': 'Technology/AI',
                        'name': 'LangChain',
                        'type': 'Software Development'}],
 'attack_vector': 'Malicious domain crafting (e.g., example.com.attacker.com) '
                  'to bypass URL validation',
 'customer_advisories': 'Developers advised to upgrade immediately',
 'data_breach': {'data_exfiltration': 'Possible if exploited',
                 'sensitivity_of_data': 'High (cloud metadata, internal '
                                        'services)',
                 'type_of_data_compromised': 'IAM credentials, session tokens, '
                                             'internal network resources'},
 'description': 'The LangChain development team has released a security update '
                'for the @langchain/community package to fix a Server-Side '
                'Request Forgery (SSRF) vulnerability (CVE-2026-26019) in the '
                'RecursiveUrlLoader class. The flaw allowed attackers to '
                'bypass domain restrictions and access internal network '
                'resources or cloud metadata services.',
 'impact': {'data_compromised': 'Potential access to IAM credentials and '
                                'session tokens from AWS, Google Cloud, and '
                                'Azure',
            'identity_theft_risk': 'High (if IAM credentials or session tokens '
                                   'were compromised)',
            'operational_impact': 'Risk of unauthorized access to internal '
                                  'network resources or cloud metadata '
                                  'services',
            'systems_affected': 'Applications using @langchain/community ≤ '
                                '1.1.13 with RecursiveUrlLoader'},
 'investigation_status': 'Patched',
 'lessons_learned': 'Need for strict origin validation and private IP range '
                    'checks in URL loaders',
 'post_incident_analysis': {'corrective_actions': 'Strict origin validation '
                                                  'using URL API and SSRF '
                                                  'protection module',
                            'root_causes': 'Weak URL validation '
                                           '(String.startsWith() check) and '
                                           'lack of private IP range '
                                           'validation'},
 'recommendations': 'Upgrade to patched version, avoid untrusted content in '
                    'RecursiveUrlLoader, and isolate applications in '
                    'restricted networks',
 'references': [{'source': 'LangChain Security Advisory'}],
 'response': {'communication_strategy': 'Security advisory released to '
                                        'developers',
              'containment_measures': 'Patch released (version 1.1.14) with '
                                      'strict origin validation and SSRF '
                                      'protection',
              'network_segmentation': 'Isolate applications in restricted '
                                      'network environments (mitigation '
                                      'advice)',
              'remediation_measures': 'Upgrade to @langchain/community 1.1.14 '
                                      'or avoid untrusted content in '
                                      'RecursiveUrlLoader'},
 'title': 'Critical SSRF Vulnerability Patched in LangChain’s '
          '@langchain/community Package',
 'type': 'Server-Side Request Forgery (SSRF)',
 'vulnerability_exploited': 'Weak URL validation in RecursiveUrlLoader '
                            '(String.startsWith() check) and lack of private '
                            'IP range validation'}