AI Threat Alert
CVE-2026-26019
MEDIUMCVE-2026-26019 is an SSRF vulnerability in LangChain's RecursiveUrlLoader — if you're using it in any RAG ingestion pipeline or web research agent, an attacker controlling any page in the crawl path can redirect your crawler to cloud metadata endpoints (AWS IMDSv1, GCP metadata) or internal RFC 1918 infrastructure. Upgrade @langchain/community to 1.1.14 immediately. If you cannot patch today, disable RecursiveUrlLoader or enforce network-level SSRF controls (IMDSv2 enforcement, block 169.254.169.254 at the firewall).
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| langchain_community | pip | — | No patch |
Do you use langchain_community? You're affected.
Severity & Risk
Recommended Action
- 1. PATCH: Upgrade @langchain/community to >= 1.1.14 immediately. Verify package-lock.json or yarn.lock reflects the update. 2. NETWORK CONTROLS: Enforce IMDSv2 (token-required) on all EC2/ECS instances running LangChain workloads. Block access to 169.254.169.254 via iptables/security groups. Block RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) from application-layer outbound requests. 3. WORKAROUND (if unable to patch): Replace RecursiveUrlLoader with a custom crawler that validates URLs against a semantic parser and an explicit allowlist, not string prefix matching. 4. DETECTION: Monitor for outbound requests to 169.254.169.254, ::1, or private IP ranges from LangChain application pods/containers. Alert on HTTP requests from application processes to cloud metadata endpoints. 5. AUDIT: Review all usages of RecursiveUrlLoader in your codebase, especially those accepting URLs from user input or external data sources.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option (enabled by default) is intended to restrict crawling to the same site as the base URL. The implementation used String.startsWith() to compare URLs, which does not perform semantic URL validation. An attacker who controls content on a crawled page could include links to domains that share a string prefix with the target, causing the crawler to follow links to attacker-controlled or internal infrastructure. Additionally, the crawler performed no validation against private or reserved IP addresses. A crawled page could include links targeting cloud metadata services, localhost, or RFC 1918 addresses, and the crawler would fetch them without restriction. This vulnerability is fixed in 1.1.14.
Exploitation Scenario
An adversary targeting a company that uses a LangChain-powered research agent for competitive intelligence identifies that the agent crawls industry news sites. The adversary compromises or creates a page on a domain sharing a prefix with the crawl target (e.g., target-news.com vs target-news.com.attacker.com) or embeds a link to http://169.254.169.254/latest/meta-data/iam/security-credentials/ on a page the crawler will visit. When the research agent's RecursiveUrlLoader processes the malicious page, it follows the link without validation, fetches the AWS metadata endpoint, and the response (containing temporary IAM credentials) is processed as content — potentially stored in the RAG database or logged. The attacker can then query the agent or access logs to extract the credentials and pivot to the cloud account.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N References
- github.com/langchain-ai/langchainjs/commit/d5e3db0d01ab321ec70a875805b2f74aefdadf9d Patch
- github.com/langchain-ai/langchainjs/pull/9990 Issue Patch
- github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.14 Release
- github.com/langchain-ai/langchainjs/security/advisories/GHSA-gf3v-fwqg-4vh7 Vendor