CVE-2026-27795
Published: 25 February 2026
Summary
CVE-2026-27795 is a medium-severity SSRF (CWE-918) vulnerability in Langchain Langchain Community. Its CVSS base score is 4.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as NLP and Transformers.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF bypass in public-facing RecursiveUrlLoader component directly enables T1190 (Exploit Public-Facing Application) to reach internal/metadata endpoints via crafted redirects.
NVD Description
LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which…
more
permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019). Users should upgrade to `@langchain/community` 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating `Location` targets before following them. In this version, automatic redirects are disabled (`redirect: "manual"`), each 3xx `Location` is resolved and validated with `validateSafeUrl()` before the next request, and a maximum redirect limit prevents infinite loops.
Deeper analysisAI
CVE-2026-27795 is a redirect-based Server-Side Request Forgery (SSRF) bypass in the `RecursiveUrlLoader` component of the `@langchain/community` package within the LangChainJS framework, which supports building LLM-powered applications. The vulnerability affects versions prior to 1.1.18. It occurs because the loader validates only the initial URL while allowing the underlying fetch to follow redirects automatically, enabling a shift from a safe public URL to an internal or metadata endpoint without revalidation. This serves as a bypass of SSRF protections added in version 1.1.14 for CVE-2026-26019.
Exploitation is possible over the network with low complexity by an attacker with low privileges who tricks a user into providing a specially crafted URL (AV:N/AC:L/PR:L/UI:R). The attacker can supply an initial safe public URL that redirects to restricted internal resources; when the loader processes it with user interaction, the automatic redirects bypass validation, resulting in SSRF with changed scope and low confidentiality impact (S:C/C:L). No integrity or availability impacts are possible, reflected in the CVSS v3.1 base score of 4.1 (CWE-918).
Mitigation requires upgrading to `@langchain/community` version 1.1.18, as detailed in the LangChainJS GitHub releases, commits, and pull request #9990. This patch disables automatic redirects (redirect: "manual"), resolves each 3xx Location header and validates it via `validateSafeUrl()` before following, and enforces a maximum redirect limit to avoid loops.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: langchain, llm, langchain, langchain