{"data":{"id":"b9541707-aa44-488f-b44b-74e8caf518ad","title":"CVE-2026-27795: LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Req","summary":"LangChain's `RecursiveUrlLoader` component had a security flaw where it would validate an initial website address but then automatically follow redirects (automatic jumps to different URLs) without checking them, allowing attackers to redirect from a safe public URL to internal or sensitive endpoints. This vulnerability was fixed in version 1.1.18 of the `@langchain/community` package.","solution":"Upgrade to `@langchain/community` version 1.1.18. This version disables automatic redirects (`redirect: \"manual\"`), validates each redirect target with `validateSafeUrl()` before following it, and implements a maximum redirect limit to prevent infinite loops.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-27795","publishedAt":"2026-02-25T18:23:41.153Z","cveId":"CVE-2026-27795","cweIds":["CWE-918"],"cvssScore":"4.1","cvssSeverity":"medium","severity":"medium","attackType":["rag_poisoning"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["LangChain","@langchain/community"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00032,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-664"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"rag","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}