प्लेटफ़ॉर्म
python
घटक
langchain-core
में ठीक किया गया
1.2.12
1.2.11
CVE-2026-26013 describes a Server-Side Request Forgery (SSRF) vulnerability found in the ChatOpenAI.getnumtokensfrommessages() method of Langchain-Core. This flaw allows attackers to manipulate image URLs, potentially triggering requests to internal or external resources. The vulnerability affects versions of Langchain-Core up to and including 1.2.9, and a fix is available in version 1.2.11.
An attacker can exploit this SSRF vulnerability by injecting malicious image URLs into user input. While the vulnerability is classified as low severity, it can still pose risks. The attacker cannot directly view the responses from the SSRF requests (blind SSRF), limiting immediate data exfiltration. However, repeated requests could potentially lead to resource exhaustion due to the 5-second timeout. The primary risk lies in the potential for internal network scanning and reconnaissance, allowing an attacker to map the internal network and identify other potential targets. This vulnerability shares similarities with other SSRF vulnerabilities where attackers leverage server-side requests to probe internal systems.
CVE-2026-26013 has a CVSS score of 3.7 (LOW). No public Proof-of-Concept (POC) exploits are currently known. The vulnerability was published on 2026-02-11. There is no indication of active exploitation campaigns targeting this specific vulnerability at this time. The vulnerability is not listed on KEV or EPSS.
एक्सप्लॉइट स्थिति
EPSS
0.02% (5% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-26013 is to upgrade Langchain-Core to version 1.2.11 or later. If upgrading immediately is not feasible, consider implementing input validation on the image_url parameter to restrict allowed protocols and domains. A Web Application Firewall (WAF) configured to block requests to suspicious URLs or internal IP addresses can provide an additional layer of defense. Monitor network traffic for unusual outbound requests originating from your Langchain-Core instances. After upgrading, confirm the fix by attempting to submit a crafted image URL containing an internal IP address and verifying that the request is blocked or times out.
Actualice la biblioteca LangChain a la versión 1.2.11 o superior. Esto corrige la vulnerabilidad SSRF al validar las URLs de las imágenes antes de realizar la solicitud. Ejecute `pip install --upgrade langchain` para actualizar.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-26013 is a Server-Side Request Forgery (SSRF) vulnerability in Langchain-Core versions up to 1.2.9. It allows attackers to trigger requests to arbitrary URLs by manipulating image URLs used for token counting.
You are affected if you are using Langchain-Core version 1.2.9 or earlier. Upgrade to version 1.2.11 or later to mitigate the vulnerability.
Upgrade Langchain-Core to version 1.2.11 or later. As a temporary workaround, implement input validation on the image_url parameter to restrict allowed protocols and domains.
There is currently no evidence of active exploitation campaigns targeting CVE-2026-26013, but it's crucial to apply the fix to prevent potential future attacks.
Refer to the Langchain-Core GitHub repository and related security advisories for the most up-to-date information regarding CVE-2026-26013: [https://github.com/langchain-ai/langchain-core](https://github.com/langchain-ai/langchain-core)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।