CVE-2026-26019 — MEDIUM (4.1)

Q: How severe is CVE-2026-26019?

CVE-2026-26019 has been rated MEDIUM with a CVSS base score of 4.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-26019?

Check the references section above for vendor advisories and patch information. Affected products include: Langchain Langchain Community.

Vulnerability Description

LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option (enabled by default) is intended to restrict crawling to the same site as the base URL. The implementation used String.startsWith() to compare URLs, which does not perform semantic URL validation. An attacker who controls content on a crawled page could include links to domains that share a string prefix with the target, causing the crawler to follow links to attacker-controlled or internal infrastructure. Additionally, the crawler performed no validation against private or reserved IP addresses. A crawled page could include links targeting cloud metadata services, localhost, or RFC 1918 addresses, and the crawler would fetch them without restriction. This vulnerability is fixed in 1.1.14.

CVSS Score

4.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Langchain	Langchain Community	< 1.1.14

Related Weaknesses (CWE)

CWE-918

References

https://github.com/langchain-ai/langchainjs/commit/d5e3db0d01ab321ec70a875805b2fPatch
https://github.com/langchain-ai/langchainjs/pull/9990Issue TrackingPatch
https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2FcommunitRelease Notes
https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-gf3v-fwqg-4Vendor Advisory

FAQ

What is CVE-2026-26019?

CVE-2026-26019 is a vulnerability with a CVSS score of 4.1 (MEDIUM). LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting UR...

How severe is CVE-2026-26019?

CVE-2026-26019 has been rated MEDIUM with a CVSS base score of 4.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-26019?

Check the references section above for vendor advisories and patch information. Affected products include: Langchain Langchain Community.