CVE-2026-26019: LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langch
mediumvulnerability
security
Summary
LangChain's RecursiveUrlLoader (a web crawler that follows links across pages) had a security flaw in versions before 1.1.14 where its preventOutside option used weak URL comparison that attackers could bypass. An attacker could trick the crawler into visiting unintended domains by creating links with similar prefixes, or into accessing internal services like cloud metadata endpoints and private IP addresses that should be off-limits.
Solution / Mitigation
Update LangChain to version 1.1.14 or later, which fixes this vulnerability.
Vulnerability Details
CVSS Score
4.1(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
LangChain
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-26019
First tracked: February 12, 2026 at 02:21 PM
Classified by LLM (prompt v3) · confidence: 95%