Cyber Resilience

CVE-2026-27795

Medium

Published: 25 February 2026

Published
25 February 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 4.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
EPSS Score 0.0005 15.4th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27795 is a medium-severity SSRF (CWE-918) vulnerability in Langchain Langchain Community. Its CVSS base score is 4.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-27795 is a redirect-based Server-Side Request Forgery (SSRF) bypass in the `RecursiveUrlLoader` component of the `@langchain/community` package within the LangChainJS framework, which supports building LLM-powered applications. The vulnerability affects versions prior to 1.1.18. It occurs because the loader validates only the initial URL while allowing the underlying fetch to follow redirects automatically, enabling a shift from a safe public URL to an internal or metadata endpoint without revalidation. This serves as a bypass of SSRF protections added in version 1.1.14 for CVE-2026-26019.

Exploitation is possible over the network with low complexity by an attacker with low privileges who tricks a user into providing a specially crafted URL (AV:N/AC:L/PR:L/UI:R). The attacker can supply an initial safe public URL that redirects to restricted internal resources; when the loader processes it with user interaction, the automatic redirects bypass validation, resulting in SSRF with changed scope and low confidentiality impact (S:C/C:L). No integrity or availability impacts are possible, reflected in the CVSS v3.1 base score of 4.1 (CWE-918).

Mitigation requires upgrading to `@langchain/community` version 1.1.18, as detailed in the LangChainJS GitHub releases, commits, and pull request #9990. This patch disables automatic redirects (redirect: "manual"), resolves each 3xx Location header and validates it via `validateSafeUrl()` before following, and enforces a maximum redirect limit to avoid loops.

EU & UK References

Vulnerability details

LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which…

more

permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019). Users should upgrade to `@langchain/community` 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating `Location` targets before following them. In this version, automatic redirects are disabled (`redirect: "manual"`), each 3xx `Location` is resolved and validated with `validateSafeUrl()` before the next request, and a maximum redirect limit prevents infinite loops.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: langchain, llm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF bypass in public-facing RecursiveUrlLoader component directly enables T1190 (Exploit Public-Facing Application) to reach internal/metadata endpoints via crafted redirects.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44843Same vendor: Langchain
CVE-2026-2654Shared CWE-918
CVE-2026-45401Shared CWE-918
CVE-2026-34070Same vendor: Langchain
CVE-2026-6514Shared CWE-918
CVE-2026-44116Shared CWE-918
CVE-2026-21887Shared CWE-918
CVE-2026-31910Shared CWE-918
CVE-2026-48153Shared CWE-918
CVE-2026-3789Shared CWE-918

Affected Assets

langchain
langchain community
≤ 1.1.18

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of URL inputs and redirect targets to block the unvalidated Location hops that enable the SSRF bypass.

prevent

Enforces information-flow rules that prevent the application from following redirects to internal/metadata endpoints after an initial safe URL is supplied.

prevent

Boundary-protection mechanisms can restrict the loader's outbound requests to approved destinations, limiting the impact of the redirect-based SSRF.

References