CVE-2026-41481 — Server-Side Request Forgery in Langchain-text-splitters

CWE-918 — Server-Side Request Forgery4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 89.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Langchain-ai Langchain-text-splitters Ansible-automation-platform-24 Lightspeed-rhel8 Ansible-automation-platform-25 Lightspeed-chatbot-rhel8 +5 more

Timeline

PublishedApr 24

Latest updateApr 25

Description

LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the fetch with requests.get() with redirects enabled (the default). Because redirect targets were not revalidated, a URL pointing to an attacker-controlled server could redirect to internal, localhost, or cloud metadata endpoints, bypassing SSRF protections. The respo…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages8 packages

▶CVEListV5langchain-ai/langchain-text-splitters< 1.1.2

▶Red Hatmta/mta-solution-server-rhel9

▶Red Hatrhoai/odh-trustyai-nemo-guardrails-server-rhel9

▶Red Hatrhoai/odh-llama-stack-core-rhel9

▶Red Hatansible-automation-platform-24/lightspeed-rhel8

🔴Vulnerability Details

VulDB

langchain-ai langchain-text-splitters up to 1.1.1 HTMLHeaderTextSplitter.split_text_from_url server-side request forgery (GHSA-fv5p-p927-qmxr / EUVD-2026-25634)↗2026-04-25

▶

📋Vendor Advisories

Red Hat

langchain-text-splitters: LangChain: Information Disclosure via Server-Side Request Forgery (SSRF) Redirect Bypass↗2026-04-24

▶

💬Community

Bugzilla

CVE-2026-41481 langchain-text-splitters: LangChain: Information Disclosure via Server-Side Request Forgery (SSRF) Redirect Bypass↗2026-04-24

▶