Issue Station
Sign In
Tools hereToolbox

langchain - 💡(How to fix) Fix Backport SSRF fixes (CVE-2026-26013, CVE-2026-41488) to the v0.3 branch

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…

The published security advisories for the image-token-counting SSRF chain in ChatOpenAI.get_num_tokens_from_messages list no patched 0.3.x version:

  • CVE-2026-26013 / GHSA-2g6r-c272-w58r — SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages (_url_to_size calls httpx.get(image_source) directly with no SSRF protection on v0.3).
  • CVE-2026-41488 / GHSA-r7w7-9xr2-qq2r — DNS-rebinding bypass of the initial SSRF protection. Patched on master / v1.x by switching to an SSRF-safe transport that pins the resolved IP and disables redirects.

The current published advisories list patched versions only on the 1.x release line:

CVElangchain-openai patchedlangchain-core patched
CVE-2026-26013(none for 0.3.x)(none for 0.3.x)
CVE-2026-41488>=1.1.14(relies on langchain-core._security)

Users still on the v0.3 line cannot pick up these fixes without upgrading to 1.x, which may not be feasible for applications still on the legacy langchain-core 0.3.x chain.

Root Cause

The published security advisories for the image-token-counting SSRF chain in ChatOpenAI.get_num_tokens_from_messages list no patched 0.3.x version:

  • CVE-2026-26013 / GHSA-2g6r-c272-w58r — SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages (_url_to_size calls httpx.get(image_source) directly with no SSRF protection on v0.3).
  • CVE-2026-41488 / GHSA-r7w7-9xr2-qq2r — DNS-rebinding bypass of the initial SSRF protection. Patched on master / v1.x by switching to an SSRF-safe transport that pins the resolved IP and disables redirects.

The current published advisories list patched versions only on the 1.x release line:

CVElangchain-openai patchedlangchain-core patched
CVE-2026-26013(none for 0.3.x)(none for 0.3.x)
CVE-2026-41488>=1.1.14(relies on langchain-core._security)

Users still on the v0.3 line cannot pick up these fixes without upgrading to 1.x, which may not be feasible for applications still on the legacy langchain-core 0.3.x chain.

Fix Action

Fix / Workaround

The published security advisories for the image-token-counting SSRF chain in ChatOpenAI.get_num_tokens_from_messages list no patched 0.3.x version:

  • CVE-2026-26013 / GHSA-2g6r-c272-w58r — SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages (_url_to_size calls httpx.get(image_source) directly with no SSRF protection on v0.3).
  • CVE-2026-41488 / GHSA-r7w7-9xr2-qq2r — DNS-rebinding bypass of the initial SSRF protection. Patched on master / v1.x by switching to an SSRF-safe transport that pins the resolved IP and disables redirects.

The current published advisories list patched versions only on the 1.x release line:

RAW_BUFFERClick to expand / collapse

Summary

The published security advisories for the image-token-counting SSRF chain in ChatOpenAI.get_num_tokens_from_messages list no patched 0.3.x version:

  • CVE-2026-26013 / GHSA-2g6r-c272-w58r — SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages (_url_to_size calls httpx.get(image_source) directly with no SSRF protection on v0.3).
  • CVE-2026-41488 / GHSA-r7w7-9xr2-qq2r — DNS-rebinding bypass of the initial SSRF protection. Patched on master / v1.x by switching to an SSRF-safe transport that pins the resolved IP and disables redirects.

The current published advisories list patched versions only on the 1.x release line:

CVElangchain-openai patchedlangchain-core patched
CVE-2026-26013(none for 0.3.x)(none for 0.3.x)
CVE-2026-41488>=1.1.14(relies on langchain-core._security)

Users still on the v0.3 line cannot pick up these fixes without upgrading to 1.x, which may not be feasible for applications still on the legacy langchain-core 0.3.x chain.

Proposed change

Backport the upstream langchain_core._security module (PRs #35143 → #36768 → #36816) plus the langchain-openai _url_to_size fix (#36819) onto the v0.3 branch, with two minimal from __future__ import annotations adjustments for py39 compatibility. No public-API changes, no version bumps.

Pattern

Follows the same v0.3 security-backport pattern as recent merged PRs:

  • #37233 — fix(core): backport path-traversal fix to v0.3 (CVE-2026-34070)
  • #37239 — chore(langchain): backport loads/dumps harden to v0.3 and deprecate hub
  • #37201 — fix(core, langchain): harden load() against untrusted manifests
  • #37209 — fix(langchain): restrict deserialization in langchain.storage._lc_store

Related PR

Branch is ready and tested locally: https://github.com/erny/langchain/tree/backport/cve-2026-26013-2026-41488-image-ssrf.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#ssr#API routing#API middleware#SSR setup

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING