CVE-2026-45134 affects the LangSmith SDK's prompt pull methods, which deserialize prompt manifests from LangSmith Hub without enforcing a trust boundary between public external prompts and organization-owned ones—allowing an attacker who publishes a malicious prompt to inject attacker-controlled LangChain object constructor arguments, including a custom base_url that silently redirects all LLM inference traffic to attacker-controlled infrastructure. Redirected requests may expose provider API keys, system prompts, retrieved RAG context, and user data, while the secrets_from_env=True parameter creates an additional environment-variable exfiltration vector; with 2,640 downstream dependents and a package risk score of 77/100, the blast radius across LangChain-based AI deployments is significant. Although not in CISA KEV and lacking a public exploit, the low attack complexity—requiring only that a victim application pulls a public prompt by owner/name—makes this a credible supply chain threat for any agentic or CI/CD pipeline that auto-pulls prompts from the Hub. Upgrade to langsmith Python >= 0.8.0 or JS/TS >= 0.6.0 immediately, audit all pull_prompt and pullPrompt call sites for public owner/name identifiers, and rotate LANGSMITH_API_KEY if compromise is suspected.
What is the risk?
High. CVSS 7.1 (AV:N/AC:L/PR:N/UI:R) with confidentiality impact HIGH reflects realistic SSRF and credential exfiltration potential. Attack complexity is low—no authentication required, no special privileges needed—and the trust boundary violation is trivial to exploit by any entity that can publish to LangSmith Hub. The 2,640 downstream dependents, 51 prior CVEs in the same package ecosystem, and an OpenSSF Scorecard of 6.4/10 compound supply chain risk. The package risk score of 77/100 aligns with elevated concern for production AI workloads using LangChain-based pipelines.
How does the attack unfold?
What systems are affected?
How severe is it?
What is the attack surface?
What should I do?
7 steps-
Upgrade immediately: langsmith Python >= 0.8.0, langsmith JS/TS >= 0.6.0, langchain >= 0.3.30, langchain-classic >= 1.0.7.
-
Audit all pull_prompt/pull_prompt_commit (Python) and pullPrompt/pullPromptCommit (JS/TS) call sites—identify every location using a public owner/name identifier and gate or remove them.
-
Do not pass dangerously_pull_public_prompt=True unless the specific prompt contents have been independently reviewed and explicitly trusted, not just the publishing account.
-
Disable secrets_from_env=True for any prompt sourced outside the caller's own organization.
-
Avoid include_model=True when pulling prompts from untrusted sources—it expands the deserialization allowlist to partner integration classes.
-
Treat LANGSMITH_API_KEY as a high-value secret: rotate immediately if exposure is suspected, restrict access to minimum required team members, and audit LangSmith Hub for unexpected prompt modifications.
-
Monitor outbound LLM API traffic for anomalous base_url or endpoint changes as a detection signal for active exploitation.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-45134?
CVE-2026-45134 affects the LangSmith SDK's prompt pull methods, which deserialize prompt manifests from LangSmith Hub without enforcing a trust boundary between public external prompts and organization-owned ones—allowing an attacker who publishes a malicious prompt to inject attacker-controlled LangChain object constructor arguments, including a custom base_url that silently redirects all LLM inference traffic to attacker-controlled infrastructure. Redirected requests may expose provider API keys, system prompts, retrieved RAG context, and user data, while the secrets_from_env=True parameter creates an additional environment-variable exfiltration vector; with 2,640 downstream dependents and a package risk score of 77/100, the blast radius across LangChain-based AI deployments is significant. Although not in CISA KEV and lacking a public exploit, the low attack complexity—requiring only that a victim application pulls a public prompt by owner/name—makes this a credible supply chain threat for any agentic or CI/CD pipeline that auto-pulls prompts from the Hub. Upgrade to langsmith Python >= 0.8.0 or JS/TS >= 0.6.0 immediately, audit all pull_prompt and pullPrompt call sites for public owner/name identifiers, and rotate LANGSMITH_API_KEY if compromise is suspected.
Is CVE-2026-45134 actively exploited?
No confirmed active exploitation of CVE-2026-45134 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-45134?
1. Upgrade immediately: langsmith Python >= 0.8.0, langsmith JS/TS >= 0.6.0, langchain >= 0.3.30, langchain-classic >= 1.0.7. 2. Audit all pull_prompt/pull_prompt_commit (Python) and pullPrompt/pullPromptCommit (JS/TS) call sites—identify every location using a public owner/name identifier and gate or remove them. 3. Do not pass dangerously_pull_public_prompt=True unless the specific prompt contents have been independently reviewed and explicitly trusted, not just the publishing account. 4. Disable secrets_from_env=True for any prompt sourced outside the caller's own organization. 5. Avoid include_model=True when pulling prompts from untrusted sources—it expands the deserialization allowlist to partner integration classes. 6. Treat LANGSMITH_API_KEY as a high-value secret: rotate immediately if exposure is suspected, restrict access to minimum required team members, and audit LangSmith Hub for unexpected prompt modifications. 7. Monitor outbound LLM API traffic for anomalous base_url or endpoint changes as a detection signal for active exploitation.
What systems are affected by CVE-2026-45134?
This vulnerability affects the following AI/ML architecture patterns: LangChain-based LLM application pipelines, Agent frameworks using LangSmith prompt management, RAG pipelines pulling shared prompts from LangSmith Hub, CI/CD pipelines with automated prompt pulls at startup or deployment, Multi-tenant SaaS applications using LangSmith for prompt versioning.
What is the CVSS score for CVE-2026-45134?
CVE-2026-45134 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.20%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.000 Unsafe AI Artifacts AML.T0040 AI Model Inference API Access AML.T0081 Modify AI Agent Configuration AML.T0083 Credentials from AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime behavior. When pulling a public prompt by owner/name identifier, the manifest content is controlled by an external party, but prior versions of the SDK did not distinguish this from pulling a prompt within the caller's own organization. This vulnerability is fixed in LangSmith SDK Python 0.8.0 and JS/TS 0.6.0.
Exploitation Scenario
An attacker registers a LangSmith account and publishes a prompt at attacker-org/helpful-summarizer. The prompt manifest embeds constructor kwargs specifying base_url: https://attacker.io/proxy and default Authorization headers that mimic a legitimate LLM API. A victim's LangChain-based document summarization service calls pull_prompt('attacker-org/helpful-summarizer')—possibly as part of a CI/CD pipeline loading production prompts at startup—and the SDK deserializes the manifest, instantiating an OpenAI-compatible client silently pointed at the attacker's proxy. All subsequent LLM calls, including system prompts containing business logic, retrieved RAG chunks with internal document content, and user queries with the OPENAI_API_KEY in the Authorization header, are transparently forwarded to attacker.io before being proxied to the real API. The victim application functions normally with no visible disruption while the attacker logs all traffic and exfiltrates valid provider credentials for further abuse.
Weaknesses (CWE)
CWE-502 Deserialization of Untrusted Data
Primary
CWE-502 Deserialization of Untrusted Data
Primary
CWE-502 Deserialization of Untrusted Data CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
- [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
- [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same package: langchain CVE-2023-34540 9.8 LangChain: RCE via JiraAPIWrapper crafted input
Same package: langchain CVE-2023-29374 9.8 LangChain: RCE via prompt injection in LLMMathChain
Same package: langchain CVE-2023-34541 9.8 LangChain: RCE via unsafe load_prompt deserialization
Same package: langchain CVE-2023-36258 9.8 LangChain: unauthenticated RCE via code injection
Same package: langchain