Agents
LangChain CVE-2026-41481: SSRF Redirect Bypass in HTMLHeaderTextSplitter Leaks Internal Network Data
LangChain disclosed CVE-2026-41481 (CVSS 6.5) on April 24: HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL but performed the fetch with redirects enabled, allowing attacker-controlled servers to redirect to localhost, cloud metadata, or internal endpoints. The fix in langchain-text-splitters 1.1.2 replaces requests.get() with an SSRF-safe httpx transport that validates DNS on every request including redirects. The split_text_from_url() method has been deprecated entirely.
Source
↳ Follow the thread