SSRF Bypass Vulnerability in the Langchain Community The langchain/community package has been found to have a Server-Side Request Forgery (SSRF) vulnerability that affects versions up to 1.1.13. The vulnerability, identified as CVE-2026-26019, has a moderate severity rating (CVSS 3.1) because it may expose internal infrastructure and sensitive cloud metadata. The RecursiveUrlLoader class, which carries out recursive web crawling, is the source of the vulnerability.

By default, it uses the preventOutside option to limit crawling to the same domain. However, the original implementation used JavaScript's String.startsWith() method to validate URLs. This non-semantic check allowed crafted subdomains (like https://example.com.attacker.com) to get around the restriction. CVE ID CVSS Score Description CVE-2026-26019 5.3 (Medium) SSRF in @langchain/community ≤ 1.1.13 via RecursiveUrlLoader, which permits crafted URLs to access cloud metadata and internal services (e.g., 169.254.169.254).

The crawler also failed to block access to private or reserved IP addresses, which was fixed in 1.1.14. This allowed attackers to route requests to internal networks (10.x, 172.16.x, 192.168.x), localhost, or cloud metadata endpoints (169.254.169.254). Last week, GHSA‑gf3v‑fwqg‑4vh7 was added to the National Vulnerability Database (NVD) and published on GitHub Advisory.

In cloud-hosted environments where LangChain operates with privileged network access, this vulnerability made it possible to compromise IAM credentials, tokens, or internal service data. When malicious links are inserted into user-generated or publicly crawled content, an attacker could take advantage of this vulnerability to: Get your credentials and cloud metadata from AWS, GCP, or Azure. Examine or communicate with internal services and APIs that are only available within the private network. Use redirect chains to exfiltrate data.

The exploit depends on user interaction, such as the crawler retrieving a manipulated page, but it requires very few privileges. In version 1.1.14, LangChain has addressed this vulnerability by adding new SSRF filters in @langchain/core/utils/ssrf and substituting strict origin validation via the URL API for the loose prefix check. Requests to private, loopback, cloud metadata, and non-HTTP(S) schemes are now blocked by the update.

RecursiveUrlLoader should not be used on untrusted content by users who are unable to upgrade. In environments where internal networks or metadata services are inaccessible, isolate the component. X, LinkedIn, and LinkedIn for daily ZeroOwl. To have your stories featured, get in touch with us.