CVE-2026-26013: LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages
Server-Side Request Forgery (SSRF) in ChatOpenAI Image Token Counting
Summary The ChatOpenAI.getnumtokensfrommessages() method fetches arbitrary imageurl values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input.
Severity Low - The vulnerability allows SSRF attacks but has limited impact due to: - Responses are not returned to the attacker (blind SSRF) - Default 5-second timeout limits resource exhaustion - Non-image responses fail at PIL image parsing
Impact An attacker who can control image URLs passed to getnumtokensfrommessages() can: - Trigger HTTP requests from the application server to arbitrary internal or external URLs - Cause the server to access internal network resources (private IPs, cloud metadata endpoints) - Cause minor resource consumption through image downloads (bounded by timeout)
Note: This vulnerability occurs during token counting, which may happen outside of model invocation (e.g., in logging, metrics, or token budgeting flows).
Details The vulnerable code path: 1. getnumtokensfrommessages() processes messages containing imageurl content blocks 2. For images without detail: "low", it calls urltosize() to fetch the image and compute token counts 3. urltosize() performs httpx.get(imagesource) on any URL without validation 4. Prior to the patch, there was no SSRF protection, size limits, or explicit timeout
File: libs/partners/openai/langchainopenai/chatmodels/base.py
Patches The vulnerability has been patched in langchain-openai==1.1.9 (requires langchain-core==1.2.11).
The patch adds: 1. SSRF validation using langchaincore.security.ssrfprotection.validatesafeurl() to block: - Private IP ranges (RFC 1918, loopback, link-local) - Cloud metadata endpoints (169.254.169.254, etc.) - Invalid URL schemes 2. Explicit size limits (50 MB maximum, matching OpenAI's payload limit) 3. Explicit timeout (5 seconds, same as httpx.get default) 4. Allow disabling image fetching via allowfetchingimages=False parameter
Workarounds If you cannot upgrade immediately:
1. Sanitize input: Validate and filter imageurl values before passing messages to token counting or model invocation 2. Use network controls: Implement egress filtering to prevent outbound requests to private IPs
Other sources
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.getnumtokensfrommessages() method fetches arbitrary imageurl values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.
— MITRE
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2026-26013?
CVE-2026-26013 is classified as a moderate severity vulnerability due to its potential for server-side request forgery (SSRF).
How do I fix CVE-2026-26013?
To fix CVE-2026-26013, upgrade LangChain to version 1.2.11 or later, which addresses the SSRF issue in the ChatOpenAI.get_num_tokens_from_messages() method.
What systems are affected by CVE-2026-26013?
CVE-2026-26013 affects LangChain versions prior to 1.2.11, specifically when utilizing the ChatOpenAI functionality.
What kind of attack is CVE-2026-26013 associated with?
CVE-2026-26013 is associated with server-side request forgery (SSRF) attacks that can exploit unvalidated URL fetching.
Who is responsible for the CVE-2026-26013 vulnerability?
CVE-2026-26013 was reported in the LangChain framework, specifically linked to its image_url token counting mechanism.