{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-27795","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-02-24T02:31:33.265Z","datePublished":"2026-02-25T17:30:01.106Z","dateUpdated":"2026-02-25T18:42:52.277Z"},"containers":{"cna":{"title":"LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader","problemTypes":[{"descriptions":[{"cweId":"CWE-918","lang":"en","description":"CWE-918: Server-Side Request Forgery (SSRF)","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-mphv-75cg-56wg","tags":["x_refsource_CONFIRM"],"url":"https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-mphv-75cg-56wg"},{"name":"https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-gf3v-fwqg-4vh7","tags":["x_refsource_MISC"],"url":"https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-gf3v-fwqg-4vh7"},{"name":"https://github.com/langchain-ai/langchainjs/pull/9990","tags":["x_refsource_MISC"],"url":"https://github.com/langchain-ai/langchainjs/pull/9990"},{"name":"https://github.com/langchain-ai/langchainjs/commit/2812d2b2b9fd9343c4850e2ab906b8cf440975ee","tags":["x_refsource_MISC"],"url":"https://github.com/langchain-ai/langchainjs/commit/2812d2b2b9fd9343c4850e2ab906b8cf440975ee"},{"name":"https://github.com/langchain-ai/langchainjs/commit/d5e3db0d01ab321ec70a875805b2f74aefdadf9d","tags":["x_refsource_MISC"],"url":"https://github.com/langchain-ai/langchainjs/commit/d5e3db0d01ab321ec70a875805b2f74aefdadf9d"},{"name":"https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.14","tags":["x_refsource_MISC"],"url":"https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.14"},{"name":"https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.18","tags":["x_refsource_MISC"],"url":"https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.18"}],"affected":[{"vendor":"langchain-ai","product":"langchainjs","versions":[{"version":"< 1.1.18","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-02-25T17:30:01.106Z"},"descriptions":[{"lang":"en","value":"LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019). Users should upgrade to `@langchain/community` 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating `Location` targets before following them. In this version, automatic redirects are disabled (`redirect: \"manual\"`), each 3xx `Location` is resolved and validated with `validateSafeUrl()` before the next request, and a maximum redirect limit prevents infinite loops."}],"source":{"advisory":"GHSA-mphv-75cg-56wg","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-25T18:42:34.609541Z","id":"CVE-2026-27795","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-25T18:42:52.277Z"}}]}}