3.7
CVE-2026-26013
- EPSS 0.38%
- Veröffentlicht 10.02.2026 21:51:07
- Zuletzt bearbeitet 17.03.2026 20:30:07
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Langchain ≫ Langchain Core SwPlatformpython Version < 1.2.11
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.38% | 0.295 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 3.7 | 2.2 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
|
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r
https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565
https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11