Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-04-24T20:54:27 langchain-text-splitters: LangChain: Information Disclosure via Server-Side Request Forgery (SSRF) Redirect Bypass 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CWE-918

A flaw was found in LangChain and langchain-text-splitters. This vulnerability, a Server-Side Request Forgery (SSRF) bypass, allows a remote attacker to redirect a seemingly safe URL to internal network resources. By exploiting unvalidated redirects, an attacker could access sensitive data from internal, localhost, or cloud metadata endpoints. This could result in information disclosure or data exfiltration if the application processes and exposes the content from these redirected requests.

This is an Important information disclosure flaw in LangChain and langchain-text-splitters, affecting Red Hat products that process URLs using these components. The vulnerability allows a Server-Side Request Forgery (SSRF) redirect bypass, where initial URL validation is circumvented by unvalidated redirect targets. This could enable an attacker to access internal network resources and potentially exfiltrate sensitive data if the application exposes the content from these redirected requests. To mitigate this issue, Red Hat customers should ensure that applications utilizing LangChain's HTMLHeaderTextSplitter.split_text_from_url() function do not process untrusted or unvalidated URLs. Implement strict input validation for all URL inputs to prevent redirection to internal network resources. If an application exposes the content of processed Document objects to external requesters, consider reconfiguring the application to restrict such exposure. Migration Toolkit for Applications 8 Fix deferred mta/mta-solution-server-rhel9 OpenShift Lightspeed Fix deferred openshift-lightspeed/lightspeed-service-api-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-24/lightspeed-rhel8 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-25/lightspeed-chatbot-rhel8 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-25/lightspeed-rhel8 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-llama-stack-core-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-trustyai-nemo-guardrails-server-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-41481 https://nvd.nist.gov/vuln/detail/CVE-2026-41481 https://github.com/langchain-ai/langchain/security/advisories/GHSA-fv5p-p927-qmxr