CVE-2026-25750 — HIGH (CVSS 8.1) AI Security Vulnerability

CISO Take

Any organization running LangSmith — cloud or self-hosted — for monitoring LangChain/AI agent pipelines is exposed until upgraded to Helm chart 0.12.71. A single phishing link harvests a bearer token granting full workspace access: traces, prompts, datasets, and any credentials embedded in LLM call logs. Upgrade immediately; if self-hosted, treat this as a critical patch given the direct path to AI pipeline exfiltration.

Risk Assessment

HIGH. CVSS 8.1 is appropriate. Exploitability is realistic: attack complexity is low, no privileges required, and phishing is a baseline capability for any threat actor. The 5-minute token TTL limits opportunistic mass exploitation but does not protect against targeted attacks — an attacker with a prepared exfiltration endpoint and a credible lure can execute the full kill chain in under 60 seconds. LangSmith workspaces routinely contain LLM traces that include API keys, PII, internal prompts, and proprietary model behavior data, making this a high-value target beyond simple account takeover. Self-hosted deployments have no automatic patch delivery, increasing exposure window significantly.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langsmith	pip	—	No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →
langsmith	pip	—	No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 13% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A None

Recommended Action

7 steps

PATCH

Upgrade langchain-ai/helm to >= 0.12.71 immediately. For self-hosted, this is the only fix — no workaround exists per vendor advisory.
AUDIT

Review LangSmith workspace access logs for any anomalous API calls originating from unexpected IPs in the past 90 days.
ROTATE

Rotate all LangSmith API keys and user tokens as a precaution.
SCAN TRACES

Audit recent LangSmith traces for inadvertently logged credentials, PII, or sensitive prompts that may now be considered compromised.
PHISHING DEFENSE

Brief development and ML teams on this specific attack vector — malicious LangSmith URLs are indistinguishable from legitimate ones without inspecting the baseUrl parameter.
DETECTION

Alert on LangSmith authentication from new geographies or user agents within the 5-minute token validity window.
ZERO-TRUST: Enforce network-level restrictions on LangSmith instances (allowlist known CI/CD and developer IPs).

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Prompt Injection Data Leakage Code Execution Framework Agent API AML.T0011.003 - Malicious Link AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0052 - Phishing AML.T0085 - Data from AI Services AML.T0087 - Gather Victim Identity Information AML.T0091.000 - Application Access Token

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Art.9 - Risk management system Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.3 - Access control for AI systems A.6.2.6 - Information security in AI system lifecycle A.9.2 - AI system incident management A.9.4 - AI system security

NIST AI RMF

GOVERN 1.2 - Accountability mechanisms are in place GOVERN 6.1 - AI risk policies for third-party dependencies MANAGE 2.2 - Mechanisms to sustain AI risk management

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM02:2025 - Sensitive Information Disclosure LLM03 - Supply Chain Vulnerabilities LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-25750?

Any organization running LangSmith — cloud or self-hosted — for monitoring LangChain/AI agent pipelines is exposed until upgraded to Helm chart 0.12.71. A single phishing link harvests a bearer token granting full workspace access: traces, prompts, datasets, and any credentials embedded in LLM call logs. Upgrade immediately; if self-hosted, treat this as a critical patch given the direct path to AI pipeline exfiltration.

Is CVE-2026-25750 actively exploited?

No confirmed active exploitation of CVE-2026-25750 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-25750?

1. PATCH: Upgrade langchain-ai/helm to >= 0.12.71 immediately. For self-hosted, this is the only fix — no workaround exists per vendor advisory. 2. AUDIT: Review LangSmith workspace access logs for any anomalous API calls originating from unexpected IPs in the past 90 days. 3. ROTATE: Rotate all LangSmith API keys and user tokens as a precaution. 4. SCAN TRACES: Audit recent LangSmith traces for inadvertently logged credentials, PII, or sensitive prompts that may now be considered compromised. 5. PHISHING DEFENSE: Brief development and ML teams on this specific attack vector — malicious LangSmith URLs are indistinguishable from legitimate ones without inspecting the baseUrl parameter. 6. DETECTION: Alert on LangSmith authentication from new geographies or user agents within the 5-minute token validity window. 7. ZERO-TRUST: Enforce network-level restrictions on LangSmith instances (allowlist known CI/CD and developer IPs).

What systems are affected by CVE-2026-25750?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM observability and monitoring pipelines, RAG pipelines, model evaluation and fine-tuning pipelines, MLOps/LLMOps infrastructure, Kubernetes-based AI deployments.

What is the CVSS score for CVE-2026-25750?

CVE-2026-25750 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

Langchain Helm Charts are Helm charts for deploying Langchain applications on Kubernetes. Prior to langchain-ai/helm version 0.12.71, a URL parameter injection vulnerability existed in LangSmith Studio that could allow unauthorized access to user accounts through stolen authentication tokens. The vulnerability affected both LangSmith Cloud and self-hosted deployments. Authenticated LangSmith users who clicked on a specially crafted malicious link would have their bearer token, user ID, and workspace ID transmitted to an attacker-controlled server. With this stolen token, an attacker could impersonate the victim and access any LangSmith resources or perform any actions the user was authorized to perform within their workspace. The attack required social engineering (phishing, malicious links in emails or chat applications) to convince users to click the crafted URL. The stolen tokens expired after 5 minutes, though repeated attacks against the same user were possible if they could be convinced to click malicious links multiple times. The fix in version 0.12.71 implements validation requiring user-defined allowed origins for the baseUrl parameter, preventing tokens from being sent to unauthorized servers. No known workarounds are available. Self-hosted customers must upgrade to the patched version.

Exploitation Scenario

A threat actor targeting an organization's AI pipeline begins by identifying LangSmith usage via job postings referencing LangChain or public GitHub repositories. The attacker registers a lookalike domain (e.g., langsmith-security-notice.com) and sets up a token capture endpoint. They craft a LangSmith URL with the vulnerable baseUrl parameter pointing to their server and embed it in a spearphishing email: 'Action required: your LangSmith workspace has been flagged for unusual activity — verify your account.' A developer or ML engineer clicks the link; their browser silently transmits the bearer token, user ID, and workspace ID to the attacker's server. Within 5 minutes, the attacker authenticates to LangSmith, exports all traces (extracting embedded OpenAI/Anthropic API keys from logged headers), downloads evaluation datasets, and maps the organization's complete AI system architecture from run metadata. If the attack is detected and the token expires, the attacker can repeat the phishing attempt — the vulnerability requires no elevated access to exploit repeatedly.