DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26013: CVE-2026-26013: When Your AI Assistant Browses Your Intranet

#security #cve #cybersecurity

CVE-2026-26013: When Your AI Assistant Browses Your Intranet

Vulnerability ID: CVE-2026-26013
CVSS Score: 3.7
Published: 2026-02-11

In the race to build the ultimate AI agent, developers often overlook the plumbing. CVE-2026-26013 is a classic Server-Side Request Forgery (SSRF) vulnerability nestled deep within LangChain's utility functions. Specifically, the logic used to calculate token costs for OpenAI's vision models inadvertently turned the library into an open proxy. By tricking the ChatOpenAI component into 'measuring' an image hosted on an internal server, attackers could force the application to scan local networks or ping cloud metadata services. It’s a stark reminder that even 'helper' functions need to treat user input like a biological hazard.

TL;DR

LangChain's ChatOpenAI component contained an SSRF vulnerability in its token counting logic. To estimate costs for vision models, the library automatically fetched images from URLs provided in prompts. This allowed attackers to force the server to request internal resources (like AWS metadata or localhost). Fixed in langchain-core 1.2.11.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network
  • CVSS v3.1: 3.7 (Low)
  • Impact: Blind SSRF, Internal Scanning
  • Vulnerable Method: get_num_tokens_from_messages
  • Fix Commit: 2b4b1dc29a833d4053deba4c2b77a3848c834565

Affected Systems

  • LangChain Framework (Python)
  • Applications using ChatOpenAI with vision models
  • Internal networks accessible by LLM servers
  • langchain-core: < 1.2.11 (Fixed in: 1.2.11)

Code Analysis

Commit: 2b4b1dc

ssrf protection for image token counting

@@ -1,5 +1,6 @@
+from langchain_core._security._ssrf_protection import validate_safe_url
...
- response = httpx.get(image_source)
+ validate_safe_url(image_source, allow_private=False, allow_http=True)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual: Manual construction of JSON payloads containing image_url pointing to 169.254.169.254

Mitigation Strategies

  • Input Validation
  • Dependency Management
  • Network Segmentation
  • Principle of Least Privilege

Remediation Steps:

  1. Upgrade langchain-core to version 1.2.11 or later immediately.
  2. If upgrading is not possible, modify calls to get_num_tokens_from_messages to set allow_fetching_images=False.
  3. Implement firewall rules (e.g., AWS Security Groups) that block the application server from initiating outbound connections to 169.254.169.254 and 127.0.0.1.
  4. Audit all uses of ChatOpenAI in your codebase to ensure user-provided URLs are not implicitly trusted.

References

Read the full report for CVE-2026-26013 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)