{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41488", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T16:14:19.007Z", "datePublished": "2026-04-24T20:57:25.658Z", "dateUpdated": "2026-04-27T13:40:42.065Z"}, "containers": {"cna": {"title": "angchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-r7w7-9xr2-qq2r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-r7w7-9xr2-qq2r"}], "affected": [{"vendor": "langchain-ai", "product": "langchain-openai", "versions": [{"version": "< 1.1.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T20:57:25.658Z"}, "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch."}], "source": {"advisory": "GHSA-r7w7-9xr2-qq2r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:40:34.758273Z", "id": "CVE-2026-41488", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:40:42.065Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41488", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T13:40:34.758273Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:40:38.447Z"}}], "cna": {"title": "angchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding", "source": {"advisory": "GHSA-r7w7-9xr2-qq2r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "langchain-ai", "product": "langchain-openai", "versions": [{"status": "affected", "version": "< 1.1.14"}]}], "references": [{"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-r7w7-9xr2-qq2r", "name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-r7w7-9xr2-qq2r", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T20:57:25.658Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41488", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:40:42.065Z", "dateReserved": "2026-04-20T16:14:19.007Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T20:57:25.658Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch."}], "id": "CVE-2026-41488", "lastModified": "2026-04-27T18:57:20.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T21:16:19.637", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-r7w7-9xr2-qq2r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "langchain-openai: Langchain-openai: Server-Side Request Forgery (SSRF) protection bypass via DNS rebinding", "id": "2461734", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461734"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-367", "details": ["A flaw was found in langchain-openai. A remote attacker could exploit a Time-of-Check to Time-of-Use (TOCTOU) vulnerability, also known as a DNS rebinding vulnerability. This occurs because the _url_to_size() helper, used for image token counting, validates URLs for Server-Side Request Forgery (SSRF) protection and then fetches them in a separate network operation with independent DNS resolution. This allows an attacker to bypass SSRF protection, potentially leading to unauthorized access to internal resources or information disclosure."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-41488", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Fix deferred", "package_name": "mta/mta-solution-server-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "openshift-lightspeed/lightspeed-service-api-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-24/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-25/lightspeed-chatbot-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-25/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-llama-stack-core-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-trustyai-nemo-guardrails-server-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-04-24T20:57:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-41488\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41488\nhttps://github.com/langchain-ai/langchain/security/advisories/GHSA-r7w7-9xr2-qq2r"], "statement": "This vulnerability has a Low impact on Red Hat products. The flaw in `langchain-openai` allows a remote attacker to bypass Server-Side Request Forgery (SSRF) protection through a DNS rebinding attack. This is due to a Time-of-Check to Time-of-Use (TOCTOU) vulnerability during URL validation and fetching, which could lead to unauthorized access to internal resources or information disclosure. Exploitation requires a specific timing window and control over DNS resolution.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.14)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "langchain-openai", "source": "cna", "vendor": "langchain-ai"}, "product": "langchain", "vendor": "langchain-ai"}], "analysis": {"en": {"generated_at": "2026-04-28T05:43:53.309929+00:00", "value": {"mitigation_remediation": ["Upgrade langchain-openai to version 1.1.14 or later, which closes the DNS rebinding window.", "If an upgrade is not immediately possible, restrict the image token counting feature to URLs whose hosts are known, trusted domains and block any DNS responses that resolve to private addresses such as 10.x.x.x, 172.16\u2011172.31.x, 192.168.x.x and 127.0.0.1.", "Implement an additional post\u2011fetch validation step that re\u2011resolves the hostname and verifies that the final IP address is not internal; reject the request if it is."], "summary": {"action": "Patch", "impact": "SSRF via DNS rebinding"}, "threat_synthesis": {"affected_systems": "LangChain \u2013 specifically the langchain-openai package \u2013 is affected in all releases prior to 1.1.14. The fix was introduced in version 1.1.14 and later releases protect against the DNS rebinding window.", "description_and_impact": "This vulnerability resides in LangChain\u2019s langchain-openai module. Prior to version 1.1.14 the helper that counts image tokens performs initial SSRF validation on a URL and then fetches the image in a separate network operation with an independent DNS lookup. The separation creates a time\u2011of\u2011check to time\u2011of\u2011use window; an attacker who supplies a domain that resolves to a public IP during validation can later cause the fetch to resolve to a private or localhost IP, enabling SSRF. The weakness is a classic DNS rebinding flaw (CWE\u2011918). The impact is that an attacker can cause the application to make internal network requests that it was not intended to perform.", "risk_and_exploitability": "The CVSS score is 3.1, indicating low overall severity, and the EPSS score is less than 1%, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the flaw relies on control of a DNS name that can be made to resolve to internal addresses, it is most likely to be exploited by an attacker who can supply image URLs or otherwise invoke the token counting function with a crafted hostname."}}}}, "created": "2026-04-27T20:15:12.103142+00:00", "updated": "2026-04-28T05:45:23.303009+00:00", "vendors": ["langchain-ai", "langchain-ai$PRODUCT$langchain"]}