PyPI: langchain-core
CVE-2026-26013
Safety vulnerability ID: SFTY-20260211-88956
Safety legacy ID: pyup.io-86270
Affected versions of the langchain-core package are vulnerable to Server-Side Request Forgery (SSRF) due to fetching user-supplied image_url values during token counting without URL validation. In ChatOpenAI.get_num_tokens_from_messages(), messages containing image_url blocks can flow into _url_to_size(), which calls httpx.get(image_source) on attacker-controlled URLs in libs/partners/openai/langchain_openai/chat_models/base.py when computing vision-model token counts.
Overview
LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages
Advisory
Affected versions of the langchain-core package are vulnerable to Server-Side Request Forgery (SSRF) due to fetching user-supplied image_url values during token counting without URL validation. In ChatOpenAI.get_num_tokens_from_messages(), messages containing image_url blocks can flow into _url_to_size(), which calls httpx.get(image_source) on attacker-controlled URLs in libs/partners/openai/langchain_openai/chat_models/base.py when computing vision-model token counts.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260211-88956/CVE-2026-26013
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26013
- https://github.com/advisories/GHSA-2g6r-c272-w58r
- https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r
- https://nvd.nist.gov/vuln/detail/CVE-2026-26013
- https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565
- https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11
- https://github.com/advisories/GHSA-2g6r-c272-w58r
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more