CVE-2026-25750: langsmith: security flaw enables exploitation

HIGH

Published March 4, 2026

CISO Take

Any organization running LangSmith — cloud or self-hosted — for monitoring LangChain/AI agent pipelines is exposed until upgraded to Helm chart 0.12.71. A single phishing link harvests a bearer token granting full workspace access: traces, prompts, datasets, and any credentials embedded in LLM call logs. Upgrade immediately; if self-hosted, treat this as a critical patch given the direct path to AI pipeline exfiltration.

What is the risk?

HIGH. CVSS 8.1 is appropriate. Exploitability is realistic: attack complexity is low, no privileges required, and phishing is a baseline capability for any threat actor. The 5-minute token TTL limits opportunistic mass exploitation but does not protect against targeted attacks — an attacker with a prepared exfiltration endpoint and a credible lure can execute the full kill chain in under 60 seconds. LangSmith workspaces routinely contain LLM traces that include API keys, PII, internal prompts, and proprietary model behavior data, making this a high-value target beyond simple account takeover. Self-hosted deployments have no automatic patch delivery, increasing exposure window significantly.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LangChain	pip	—	No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →
LangChain	pip	—	No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 21% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A None

What should I do?

7 steps

PATCH

Upgrade langchain-ai/helm to >= 0.12.71 immediately. For self-hosted, this is the only fix — no workaround exists per vendor advisory.
AUDIT

Review LangSmith workspace access logs for any anomalous API calls originating from unexpected IPs in the past 90 days.
ROTATE

Rotate all LangSmith API keys and user tokens as a precaution.
SCAN TRACES

Audit recent LangSmith traces for inadvertently logged credentials, PII, or sensitive prompts that may now be considered compromised.
PHISHING DEFENSE

Brief development and ML teams on this specific attack vector — malicious LangSmith URLs are indistinguishable from legitimate ones without inspecting the baseUrl parameter.
DETECTION

Alert on LangSmith authentication from new geographies or user agents within the 5-minute token validity window.
ZERO-TRUST: Enforce network-level restrictions on LangSmith instances (allowlist known CI/CD and developer IPs).

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Prompt Injection Data Leakage Code Execution Framework Agent API AML.T0011.003 - Malicious Link AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0052 - Phishing AML.T0085 - Data from AI Services AML.T0087 - Gather Victim Identity Information AML.T0091.000 - Application Access Token

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Art.9 - Risk management system Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.3 - Access control for AI systems A.6.2.6 - Information security in AI system lifecycle A.9.2 - AI system incident management A.9.4 - AI system security

NIST AI RMF

GOVERN 1.2 - Accountability mechanisms are in place GOVERN 6.1 - AI risk policies for third-party dependencies MANAGE 2.2 - Mechanisms to sustain AI risk management

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM02:2025 - Sensitive Information Disclosure LLM03 - Supply Chain Vulnerabilities LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-25750?

Is CVE-2026-25750 actively exploited?

No confirmed active exploitation of CVE-2026-25750 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-25750?

1. PATCH: Upgrade langchain-ai/helm to >= 0.12.71 immediately. For self-hosted, this is the only fix — no workaround exists per vendor advisory. 2. AUDIT: Review LangSmith workspace access logs for any anomalous API calls originating from unexpected IPs in the past 90 days. 3. ROTATE: Rotate all LangSmith API keys and user tokens as a precaution. 4. SCAN TRACES: Audit recent LangSmith traces for inadvertently logged credentials, PII, or sensitive prompts that may now be considered compromised. 5. PHISHING DEFENSE: Brief development and ML teams on this specific attack vector — malicious LangSmith URLs are indistinguishable from legitimate ones without inspecting the baseUrl parameter. 6. DETECTION: Alert on LangSmith authentication from new geographies or user agents within the 5-minute token validity window. 7. ZERO-TRUST: Enforce network-level restrictions on LangSmith instances (allowlist known CI/CD and developer IPs).

What systems are affected by CVE-2026-25750?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM observability and monitoring pipelines, RAG pipelines, model evaluation and fine-tuning pipelines, MLOps/LLMOps infrastructure, Kubernetes-based AI deployments.

What is the CVSS score for CVE-2026-25750?

CVE-2026-25750 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.29%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM observability and monitoring pipelinesRAG pipelinesmodel evaluation and fine-tuning pipelinesMLOps/LLMOps infrastructureKubernetes-based AI deployments

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link

AML.T0012 Valid Accounts

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0049 Exploit Public-Facing Application

AML.T0052 Phishing

AML.T0085 Data from AI Services

AML.T0087 Gather Victim Identity Information

AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Art.15, Art.9, Article 15, Article 9

ISO 42001: A.6.2.3, A.6.2.6, A.9.2, A.9.4

NIST AI RMF: GOVERN 1.2, GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM02, LLM02:2025, LLM03, LLM03:2025

What are the technical details?

Original Advisory

Langchain Helm Charts are Helm charts for deploying Langchain applications on Kubernetes. Prior to langchain-ai/helm version 0.12.71, a URL parameter injection vulnerability existed in LangSmith Studio that could allow unauthorized access to user accounts through stolen authentication tokens. The vulnerability affected both LangSmith Cloud and self-hosted deployments. Authenticated LangSmith users who clicked on a specially crafted malicious link would have their bearer token, user ID, and workspace ID transmitted to an attacker-controlled server. With this stolen token, an attacker could impersonate the victim and access any LangSmith resources or perform any actions the user was authorized to perform within their workspace. The attack required social engineering (phishing, malicious links in emails or chat applications) to convince users to click the crafted URL. The stolen tokens expired after 5 minutes, though repeated attacks against the same user were possible if they could be convinced to click malicious links multiple times. The fix in version 0.12.71 implements validation requiring user-defined allowed origins for the baseUrl parameter, preventing tokens from being sent to unauthorized servers. No known workarounds are available. Self-hosted customers must upgrade to the patched version.

Exploitation Scenario

A threat actor targeting an organization's AI pipeline begins by identifying LangSmith usage via job postings referencing LangChain or public GitHub repositories. The attacker registers a lookalike domain (e.g., langsmith-security-notice.com) and sets up a token capture endpoint. They craft a LangSmith URL with the vulnerable baseUrl parameter pointing to their server and embed it in a spearphishing email: 'Action required: your LangSmith workspace has been flagged for unusual activity — verify your account.' A developer or ML engineer clicks the link; their browser silently transmits the bearer token, user ID, and workspace ID to the attacker's server. Within 5 minutes, the attacker authenticates to LangSmith, exports all traces (extracting embedded OpenAI/Anthropic API keys from logged headers), downloads evaluation datasets, and maps the organization's complete AI system architecture from run metadata. If the attack is detected and the token expires, the attacker can repeat the phishing attempt — the vulnerability requires no elevated access to exploit repeatedly.

Weaknesses (CWE)

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Primary

CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'): The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

[Requirements] Programming languages and supporting technologies might be chosen which are not subject to these issues.
[Implementation] Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.

Source: MITRE CWE corpus.