DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26019: Spider in the Web: Escaping LangChain's Crawler Sandbox via SSRF

#security #cve #cybersecurity

Spider in the Web: Escaping LangChain's Crawler Sandbox via SSRF

Vulnerability ID: CVE-2026-26019
CVSS Score: 4.1
Published: 2026-02-11

A logic flaw in the LangChain JS @langchain/community package allows for Server-Side Request Forgery (SSRF) within the RecursiveUrlLoader. By bypassing a weak string-prefix validation check, attackers can force the crawler to access internal network resources, local loopback interfaces, or cloud metadata services. Since the output of this loader is typically fed into an LLM for summarization or processing, this vulnerability transforms a simple network scan into a high-fidelity data exfiltration pipeline.

TL;DR

The RecursiveUrlLoader in LangChain JS used startsWith() to validate URLs, allowing attackers to bypass domain restrictions and scan internal networks or steal cloud credentials.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network
  • CVSS Score: 4.1 (Medium)
  • Impact: Confidentiality (Low), Scope Changed
  • Vulnerable Logic: String.startsWith() bypass
  • Target Component: RecursiveUrlLoader

Affected Systems

  • @langchain/community < 1.1.14
  • Applications using RecursiveUrlLoader
  • @langchain/community: < 1.1.14 (Fixed in: 1.1.14)

Code Analysis

Commit: d5e3db0

Fix RecursiveUrlLoader preventOutside check and add SSRF protection

const isAllowed = !this.preventOutside || isSameOrigin(link, baseUrl);
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Hypothetical: Constructed scenario using prefix-matching domain bypass to access AWS Metadata.

Mitigation Strategies

  • Update Dependency
  • Network Segmentation
  • Cloud Hardening (IMDSv2)

Remediation Steps:

  1. Update @langchain/community to version 1.1.14 or higher via npm/yarn.
  2. Ensure @langchain/core is updated to at least 1.1.21 to support the new SSRF utility functions.
  3. Configure the host environment (Docker/Kubernetes/EC2) to block egress traffic to private IP ranges (RFC 1918) and cloud metadata services (169.254.169.254).

References

Read the full report for CVE-2026-26019 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)