CVE-2026-41481: LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTM
Summary
LangChain's HTMLHeaderTextSplitter had a security flaw where it validated URLs initially but then followed redirects (automatic forwarding to different URLs) without rechecking them, allowing attackers to redirect requests to internal or sensitive servers and potentially leak data. This SSRF vulnerability (server-side request forgery, where an attacker tricks a server into making requests to unintended locations) was fixed in version 1.1.2.
Solution / Mitigation
Update langchain-text-splitters to version 1.1.2 or later, where this vulnerability is fixed.
Vulnerability Details
6.5(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
network
low
none
required
April 24, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41481
First tracked: April 24, 2026 at 08:10 PM
Classified by LLM (prompt v3) · confidence: 95%