CVE-2026-26013 — Vulnetix

CVE-2026-26013 PUBLISHED CVSS 3.700000047683716 LOW

LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages

EPSS 0.02% · 5.5th percentile

Risk Scores

CVSS 3.1

3.700000047683716

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Score

0.02%

5.5th percentile

Affected Products

Vendor	Product	Versions
langchain	langchain_core	0
langchain-ai	langchain	< 1.2.11
PyPI	langchain-core	0

Exploit Intelligence

CIRCL seen: CVE-2026-26013 (circl-sighting)
https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r (circl)
https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565 (circl)
https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11 (circl)
base_agent.py (github-poc)
base_agent.py (github-poc)
ci_reliability_contract.yaml (github-poc)
ci_reliability_contract.yaml (github-poc)
ci_reliability_contract.yaml (github-poc)
ci_reliability_contract.yaml (github-poc)

…and 18 more exploits

Timeline

Feb 10, 2026 CVE Published
Feb 11, 2026 EPSS Score
Feb 11, 2026 PoC Published
Feb 11, 2026 CVE Updated
Feb 12, 2026 Security Advisory
Feb 13, 2026 EPSS Score
Feb 15, 2026 EPSS Score
Feb 17, 2026 EPSS Score
Feb 19, 2026 EPSS Score
Feb 21, 2026 EPSS Score
Feb 23, 2026 EPSS Score
Feb 25, 2026 EPSS Score

References

Open in Interactive Console →

$ Console Community · 100/wk Open console ›