CVE-2026-26013 – LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages

CVE ID : CVE-2026-26013

Published : Feb. 10, 2026, 9:51 p.m. | 31 minutes ago

Description : LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-26007 – cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves

CVE-2026-26006 – Redos (Regular Expression Denial of Service) at Code Extraction Block in significant-gravitas/autogpt

CVE-2026-1507 – Uncaught Exception vulnerability in AVEVA PI Data Archive

CVE-2026-1495 – Insertion of Sensitive Information into Log File vulnerability in AVEVA PI to CONNECT Agent