{"id":10707,"date":"2026-02-17T10:04:55","date_gmt":"2026-02-17T10:04:55","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/17\/langchain-community-ssrf-bypass-vulnerability-enables-access-to-internal-services\/"},"modified":"2026-02-17T10:04:55","modified_gmt":"2026-02-17T10:04:55","slug":"langchain-community-ssrf-bypass-vulnerability-enables-access-to-internal-services","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/17\/langchain-community-ssrf-bypass-vulnerability-enables-access-to-internal-services\/","title":{"rendered":"Langchain Community SSRF Bypass Vulnerability Enables Access to Internal Services"},"content":{"rendered":"<p>    Langchain Community SSRF Bypass Vulnerability Enables Access to Internal Services<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A <a href=\"https:\/\/cybersecuritynews.com\/fortisandbox-ssrf-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">Server\u2011Side Request Forgery (SSRF) vulnerability<\/a> has been identified in the\u00a0langchain\/community\u00a0package, affecting versions up to\u00a01.1.13.<\/p>\n<p>The flaw, tracked as\u00a0CVE\u20112026\u201126019, has a\u00a0moderate severity rating, with a\u00a0CVSS 3.1 score, due on its potential to expose sensitive cloud metadata and internal infrastructure.<\/p>\n<p>The vulnerability originates from the\u00a0RecursiveUrlLoader\u00a0class, which performs recursive web crawling. By default, it restricts crawling to the same domain using the\u00a0preventOutside\u00a0option.<\/p>\n<p>However, the original implementation validated URLs using JavaScript\u2019s\u00a0String.startsWith()\u00a0method, a non\u2011semantic check that allowed crafted subdomains (e.g.,\u202fhttps:\/\/example.com.attacker.com) to bypass the restriction.<\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>CVE ID<\/th>\n<th>CVSS Score<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>CVE-2026-26019<\/strong><\/td>\n<td>5.3 (Medium)<\/td>\n<td>SSRF in @langchain\/community \u2264 1.1.13 via <code>RecursiveUrlLoader<\/code>, allowing crafted URLs to access internal services and cloud metadata (e.g., 169.254.169.254). Fixed in 1.1.14.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>Additionally, the crawler failed to block access to private or reserved IP addresses, allowing attackers to direct requests to\u00a0cloud metadata endpoints (169.254.169.254),\u00a0localhost, or internal networks (10.x, 172.16.x, 192.168.x).<\/p>\n<p><a href=\"https:\/\/github.com\/advisories\/GHSA-gf3v-fwqg-4vh7\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">GHSA\u2011gf3v\u2011fwqg\u20114vh7 was published on GitHub Advisory <\/a>and added to the National Vulnerability Database (NVD) last week.<\/p>\n<p>This flaw enabled the compromise of\u00a0IAM credentials, tokens, or internal service data in cloud\u2011hosted environments where <a href=\"https:\/\/cybersecuritynews.com\/langchain-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">LangChain runs with privileged network access<\/a>.<\/p>\n<p>An attacker who inserts malicious links into user\u2011generated or publicly crawled content could exploit this weakness to: Retrieve\u00a0cloud metadata\u00a0and credentials from AWS, GCP, or Azure.<\/p>\n<p>Probe or interact with\u00a0internal APIs and services\u00a0accessible only within the private network. Cause data exfiltration through redirect chains.<\/p>\n<p>The exploit requires minimal privileges but does depend on user interaction, such as the crawler fetching a manipulated page.<\/p>\n<p>LangChain has fixed this flaw in\u00a0version 1.1.14\u00a0by replacing the loose prefix check with strict\u00a0origin validation\u00a0via the\u00a0URL\u00a0API and introducing new\u00a0SSRF filters\u00a0in\u00a0@langchain\/core\/utils\/ssrf.<\/p>\n<p>The update now blocks requests to private, loopback, <a href=\"https:\/\/cybersecuritynews.com\/how-attackers-identify-cloud-organizations-before-an-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">cloud metadata,<\/a> and non\u2011HTTP(S) schemes. Users unable to upgrade should avoid running RecursiveUrlLoader on\u00a0untrusted content.<\/p>\n<p>Isolate the component in environments that cannot reach internal networks or metadata services.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/langchain-community-ssrf-bypass-vulnerability\/\">Langchain Community SSRF Bypass Vulnerability Enables Access to Internal Services<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/langchain-community-ssrf-bypass-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Langchain Community SSRF Bypass Vulnerability Enables Access to Internal Services A Server\u2011Side Request Forgery (SSRF) vulnerability has been identified in the\u00a0langchain\/community\u00a0package, affecting versions up to\u00a01.1.13. The flaw, tracked as\u00a0CVE\u20112026\u201126019, has a\u00a0moderate severity rating, with a\u00a0CVSS 3.1 score, due on its potential to expose sensitive cloud metadata and internal infrastructure. The vulnerability originates from the\u00a0RecursiveUrlLoader\u00a0class, which [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-10707","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10707"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10707"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10707\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10707"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10707"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10707"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}