CVE-2026-27795 (GCVE-0-2026-27795)

Vulnerability from cvelistv5 – Published: 2026-02-25 17:30 – Updated: 2026-02-25 18:42
VLAI?
Title
LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader
Summary
LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019). Users should upgrade to `@langchain/community` 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating `Location` targets before following them. In this version, automatic redirects are disabled (`redirect: "manual"`), each 3xx `Location` is resolved and validated with `validateSafeUrl()` before the next request, and a maximum redirect limit prevents infinite loops.
Severity ?
4.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
CWE
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
Vendor Product Version
langchain-ai langchainjs Affected: < 1.1.18
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27795",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-25T18:42:34.609541Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-25T18:42:52.277Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "langchainjs",
          "vendor": "langchain-ai",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.1.18"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019). Users should upgrade to `@langchain/community` 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating `Location` targets before following them. In this version, automatic redirects are disabled (`redirect: \"manual\"`), each 3xx `Location` is resolved and validated with `validateSafeUrl()` before the next request, and a maximum redirect limit prevents infinite loops."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-25T17:30:01.106Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-mphv-75cg-56wg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-mphv-75cg-56wg"
        },
        {
          "name": "https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-gf3v-fwqg-4vh7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-gf3v-fwqg-4vh7"
        },
        {
          "name": "https://github.com/langchain-ai/langchainjs/pull/9990",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/langchain-ai/langchainjs/pull/9990"
        },
        {
          "name": "https://github.com/langchain-ai/langchainjs/commit/2812d2b2b9fd9343c4850e2ab906b8cf440975ee",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/langchain-ai/langchainjs/commit/2812d2b2b9fd9343c4850e2ab906b8cf440975ee"
        },
        {
          "name": "https://github.com/langchain-ai/langchainjs/commit/d5e3db0d01ab321ec70a875805b2f74aefdadf9d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/langchain-ai/langchainjs/commit/d5e3db0d01ab321ec70a875805b2f74aefdadf9d"
        },
        {
          "name": "https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.14",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.14"
        },
        {
          "name": "https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.18",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.18"
        }
      ],
      "source": {
        "advisory": "GHSA-mphv-75cg-56wg",
        "discovery": "UNKNOWN"
      },
      "title": "LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27795",
    "datePublished": "2026-02-25T17:30:01.106Z",
    "dateReserved": "2026-02-24T02:31:33.265Z",
    "dateUpdated": "2026-02-25T18:42:52.277Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-27795",
      "date": "2026-04-18",
      "epss": "0.00042",
      "percentile": "0.12519"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-27795\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-25T18:23:41.153\",\"lastModified\":\"2026-04-13T14:15:35.920\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019). Users should upgrade to `@langchain/community` 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating `Location` targets before following them. In this version, automatic redirects are disabled (`redirect: \\\"manual\\\"`), each 3xx `Location` is resolved and validated with `validateSafeUrl()` before the next request, and a maximum redirect limit prevents infinite loops.\"},{\"lang\":\"es\",\"value\":\"LangChain es un framework para construir aplicaciones impulsadas por LLM. Antes de la versi\u00f3n 1.1.8, existe una omisi\u00f3n de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) basada en redirecci\u00f3n en `RecursiveUrlLoader` en `@langchain/community`. El cargador valida la URL inicial, pero permite que la recuperaci\u00f3n subyacente siga las redirecciones autom\u00e1ticamente, lo que permite una transici\u00f3n de una URL p\u00fablica segura a un endpoint interno o de metadatos sin revalidaci\u00f3n. Esto es una omisi\u00f3n de las protecciones de SSRF introducidas en 1.1.14 (CVE-2026-26019). Los usuarios deben actualizar a `@langchain/community` 1.1.18, que valida cada salto de redirecci\u00f3n deshabilitando las redirecciones autom\u00e1ticas y revalidando los objetivos de `Location` antes de seguirlos. En esta versi\u00f3n, las redirecciones autom\u00e1ticas est\u00e1n deshabilitadas (`redirect: \u0027manual\u0027`), cada `Location` 3xx se resuelve y valida con `validateSafeUrl()` antes de la siguiente petici\u00f3n, y un l\u00edmite m\u00e1ximo de redirecciones evita bucles infinitos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N\",\"baseScore\":4.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:langchain:langchain_community:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"1.1.18\",\"matchCriteriaId\":\"82E0218B-5EC7-4779-9F3F-FF40F63DEA54\"}]}]}],\"references\":[{\"url\":\"https://github.com/langchain-ai/langchainjs/commit/2812d2b2b9fd9343c4850e2ab906b8cf440975ee\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/langchain-ai/langchainjs/commit/d5e3db0d01ab321ec70a875805b2f74aefdadf9d\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/langchain-ai/langchainjs/pull/9990\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.14\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.18\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-gf3v-fwqg-4vh7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-mphv-75cg-56wg\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27795\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-25T18:42:34.609541Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-25T18:42:46.808Z\"}}], \"cna\": {\"title\": \"LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader\", \"source\": {\"advisory\": \"GHSA-mphv-75cg-56wg\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 4.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"langchain-ai\", \"product\": \"langchainjs\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.1.18\"}]}], \"references\": [{\"url\": \"https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-mphv-75cg-56wg\", \"name\": \"https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-mphv-75cg-56wg\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-gf3v-fwqg-4vh7\", \"name\": \"https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-gf3v-fwqg-4vh7\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/langchain-ai/langchainjs/pull/9990\", \"name\": \"https://github.com/langchain-ai/langchainjs/pull/9990\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/langchain-ai/langchainjs/commit/2812d2b2b9fd9343c4850e2ab906b8cf440975ee\", \"name\": \"https://github.com/langchain-ai/langchainjs/commit/2812d2b2b9fd9343c4850e2ab906b8cf440975ee\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/langchain-ai/langchainjs/commit/d5e3db0d01ab321ec70a875805b2f74aefdadf9d\", \"name\": \"https://github.com/langchain-ai/langchainjs/commit/d5e3db0d01ab321ec70a875805b2f74aefdadf9d\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.14\", \"name\": \"https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.14\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.18\", \"name\": \"https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.18\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019). Users should upgrade to `@langchain/community` 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating `Location` targets before following them. In this version, automatic redirects are disabled (`redirect: \\\"manual\\\"`), each 3xx `Location` is resolved and validated with `validateSafeUrl()` before the next request, and a maximum redirect limit prevents infinite loops.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-25T17:30:01.106Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-27795\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-25T18:42:52.277Z\", \"dateReserved\": \"2026-02-24T02:31:33.265Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-25T17:30:01.106Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.