cvedb.io
CVE-2026-26013
LOW · CVSS 3.7
EPSS exploitation probability: 0%
Published 2026-02-10T22:17:00.453 · Last modified 2026-06-17T10:25:35.927

Summary

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.

Affected products

langchain — langchain_core

Does this affect you?

Add your gear to cvedb and we'll alert you only when langchain ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.