VDB

CVE-2026-26019

CVE-2026-26019 PUBLISHED CVSS 4.1 MEDIUM

Reported by GitHub_M · Published February 11, 2026

LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option (enabled by default) is intended to restrict crawling to the same site as the base URL. The implementation used String.startsWith() to compare URLs, which does not perform semantic URL validation. An attacker who controls content on a crawled page could include links to domains that share a string prefix with the target, causing the crawler to follow links to attacker-controlled or internal infrastructure. Additionally, the crawler performed no validation against private or reserved IP addresses. A crawled page could include links targeting cloud metadata services, localhost, or RFC 1918 addresses, and the crawler would fetch them without restriction. This vulnerability is fixed in 1.1.14.

Risk Scores

CVSS v3.1
4.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

Affected Products

VendorProductVersions
langchain-ailangchainjs< 1.1.14
langchain-ailangchainjs< 1.1.14, *
langchaincommunity0, 0
chainguardkibana-8.190

Timeline

  • Feb 11, 2026 CVE Published
  • Feb 11, 2026 Fix PR Merged
  • Feb 12, 2026 CVE Updated
  • Feb 12, 2026 EPSS Score
  • Feb 12, 2026 Security Advisory
  • Feb 14, 2026 EPSS Score
  • Feb 16, 2026 EPSS Score
  • Feb 18, 2026 EPSS Score
  • Feb 20, 2026 EPSS Score
  • Feb 22, 2026 EPSS Score
  • Feb 24, 2026 EPSS Score
  • Feb 26, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›