{"data":{"id":"20412666-d06f-4060-80e4-9ac1e072ff55","title":"CVE-2026-41488: LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_s","summary":"LangChain (a framework for building AI agents and applications powered by large language models) versions before 1.1.14 had a TOCTOU vulnerability (time-of-check-time-of-use, where a security check and an action happen at different times with a gap in between) in its image token counting feature. An attacker could trick the system by making a hostname first resolve to a safe public IP address during a security check, then resolve to a private or localhost IP address during the actual network request, bypassing security protections.","solution":"Update langchain-openai to version 1.1.14 or later.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-41488","publishedAt":"2026-04-24T21:16:19.637Z","cveId":"CVE-2026-41488","cweIds":["CWE-918"],"cvssScore":"3.1","cvssSeverity":"low","severity":"low","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["LangChain","OpenAI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","attackVector":"network","attackComplexity":"high","privilegesRequired":"none","userInteraction":"required","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-04-24T21:16:19.637Z","capecIds":["CAPEC-664"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":["AML.T0010"]}}