CVE-2026-27795

LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019). Users should upgrade to `@langchain/community` 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating `Location` targets before following them. In this version, automatic redirects are disabled (`redirect: "manual"`), each 3xx `Location` is resolved and validated with `validateSafeUrl()` before the next request, and a maximum redirect limit prevents infinite loops.

An attacker with authenticated access to a LangChain-based research agent or RAG pipeline submits a request containing a URL pointing to their controlled server (which passes RecursiveUrlLoader's initial URL validation). The attacker's server responds with an HTTP 301 redirect to http://169.254.169.254/latest/meta-data/iam/security-credentials/. On versions 1.1.14–1.1.17, the loader follows the redirect without revalidating the Location header. The metadata endpoint returns IAM role credentials as plain text, which the loader ingests as a document. Depending on application design, these credentials may be passed to the LLM as context, stored in the RAG vector database, or surfaced in API responses. The attacker retrieves the credentials and uses them to access AWS resources—S3 buckets, Secrets Manager, or RDS—outside the application's intended scope.