CVE-2026-45134: LangSmith: prompt deserialization enables SSRF + data leak

GHSA-3644-q5cj-c5c7 HIGH
Published May 13, 2026
CISO Take

CVE-2026-45134 affects the LangSmith SDK's prompt pull methods, which deserialize prompt manifests from LangSmith Hub without enforcing a trust boundary between public external prompts and organization-owned ones—allowing an attacker who publishes a malicious prompt to inject attacker-controlled LangChain object constructor arguments, including a custom base_url that silently redirects all LLM inference traffic to attacker-controlled infrastructure. Redirected requests may expose provider API keys, system prompts, retrieved RAG context, and user data, while the secrets_from_env=True parameter creates an additional environment-variable exfiltration vector; with 2,640 downstream dependents and a package risk score of 77/100, the blast radius across LangChain-based AI deployments is significant. Although not in CISA KEV and lacking a public exploit, the low attack complexity—requiring only that a victim application pulls a public prompt by owner/name—makes this a credible supply chain threat for any agentic or CI/CD pipeline that auto-pulls prompts from the Hub. Upgrade to langsmith Python >= 0.8.0 or JS/TS >= 0.6.0 immediately, audit all pull_prompt and pullPrompt call sites for public owner/name identifiers, and rotate LANGSMITH_API_KEY if compromise is suspected.

Sources: NVD GitHub Advisory ATLAS OpenSSF

What is the risk?

High. CVSS 7.1 (AV:N/AC:L/PR:N/UI:R) with confidentiality impact HIGH reflects realistic SSRF and credential exfiltration potential. Attack complexity is low—no authentication required, no special privileges needed—and the trust boundary violation is trivial to exploit by any entity that can publish to LangSmith Hub. The 2,640 downstream dependents, 51 prior CVEs in the same package ecosystem, and an OpenSSF Scorecard of 6.4/10 compound supply chain risk. The package risk score of 77/100 aligns with elevated concern for production AI workloads using LangChain-based pipelines.

How does the attack unfold?

Malicious Prompt Publication
Attacker registers a LangSmith account and publishes a prompt manifest at attacker-org/prompt-name embedding attacker-controlled LangChain object kwargs, including a custom base_url pointing to attacker-controlled infrastructure.
AML.T0010.001
Prompt Pull and Deserialization
Victim application calls pull_prompt('attacker-org/prompt-name'); the LangSmith SDK fetches and deserializes the manifest without validating the external trust boundary, instantiating LangChain objects with attacker-supplied constructor arguments.
AML.T0011.000
LLM Traffic Redirection via SSRF
The deserialized LLM client is configured with the attacker's base_url, silently proxying all inference requests—including provider API keys in Authorization headers—through attacker-controlled infrastructure with no disruption to the victim.
AML.T0040
Credential and Context Exfiltration
Attacker's proxy intercepts and logs all LLM traffic including system prompts, RAG-retrieved context, user queries, and provider API keys, forwarding requests to the real LLM API to maintain stealth while exfiltrating all captured secrets.
AML.T0083

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip < 0.3.30 0.3.30
140.3K OpenSSF 5.8 2.7K dependents Pushed 7d ago 24% patched ~156d to patch Full package profile →
LangChain pip < 1.0.7 1.0.7
140.3K OpenSSF 5.8 2.7K dependents Pushed 7d ago 24% patched ~156d to patch Full package profile →
LangChain npm < 0.6.0 0.6.0
140.3K OpenSSF 5.8 2.7K dependents Pushed 7d ago 24% patched ~156d to patch Full package profile →
LangChain pip < 0.8.0 0.8.0
140.3K OpenSSF 5.8 2.7K dependents Pushed 7d ago 24% patched ~156d to patch Full package profile →

How severe is it?

CVSS 3.1
7.1 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 10% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C High
I Low
A None

What should I do?

7 steps
  1. Upgrade immediately: langsmith Python >= 0.8.0, langsmith JS/TS >= 0.6.0, langchain >= 0.3.30, langchain-classic >= 1.0.7.

  2. Audit all pull_prompt/pull_prompt_commit (Python) and pullPrompt/pullPromptCommit (JS/TS) call sites—identify every location using a public owner/name identifier and gate or remove them.

  3. Do not pass dangerously_pull_public_prompt=True unless the specific prompt contents have been independently reviewed and explicitly trusted, not just the publishing account.

  4. Disable secrets_from_env=True for any prompt sourced outside the caller's own organization.

  5. Avoid include_model=True when pulling prompts from untrusted sources—it expands the deserialization allowlist to partner integration classes.

  6. Treat LANGSMITH_API_KEY as a high-value secret: rotate immediately if exposure is suspected, restrict access to minimum required team members, and audit LangSmith Hub for unexpected prompt modifications.

  7. Monitor outbound LLM API traffic for anomalous base_url or endpoint changes as a detection signal for active exploitation.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness, and cybersecurity Article 9 - Risk management system
ISO 42001
6.1.2 - AI risk assessment A.9.4 - Supply chain security for AI systems
NIST AI RMF
GOVERN 1.1 - Policies for AI risk management MANAGE 2.2 - AI risk treatment methods
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure LLM03 - Supply Chain

Frequently Asked Questions

What is CVE-2026-45134?

CVE-2026-45134 affects the LangSmith SDK's prompt pull methods, which deserialize prompt manifests from LangSmith Hub without enforcing a trust boundary between public external prompts and organization-owned ones—allowing an attacker who publishes a malicious prompt to inject attacker-controlled LangChain object constructor arguments, including a custom base_url that silently redirects all LLM inference traffic to attacker-controlled infrastructure. Redirected requests may expose provider API keys, system prompts, retrieved RAG context, and user data, while the secrets_from_env=True parameter creates an additional environment-variable exfiltration vector; with 2,640 downstream dependents and a package risk score of 77/100, the blast radius across LangChain-based AI deployments is significant. Although not in CISA KEV and lacking a public exploit, the low attack complexity—requiring only that a victim application pulls a public prompt by owner/name—makes this a credible supply chain threat for any agentic or CI/CD pipeline that auto-pulls prompts from the Hub. Upgrade to langsmith Python >= 0.8.0 or JS/TS >= 0.6.0 immediately, audit all pull_prompt and pullPrompt call sites for public owner/name identifiers, and rotate LANGSMITH_API_KEY if compromise is suspected.

Is CVE-2026-45134 actively exploited?

No confirmed active exploitation of CVE-2026-45134 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45134?

1. Upgrade immediately: langsmith Python >= 0.8.0, langsmith JS/TS >= 0.6.0, langchain >= 0.3.30, langchain-classic >= 1.0.7. 2. Audit all pull_prompt/pull_prompt_commit (Python) and pullPrompt/pullPromptCommit (JS/TS) call sites—identify every location using a public owner/name identifier and gate or remove them. 3. Do not pass dangerously_pull_public_prompt=True unless the specific prompt contents have been independently reviewed and explicitly trusted, not just the publishing account. 4. Disable secrets_from_env=True for any prompt sourced outside the caller's own organization. 5. Avoid include_model=True when pulling prompts from untrusted sources—it expands the deserialization allowlist to partner integration classes. 6. Treat LANGSMITH_API_KEY as a high-value secret: rotate immediately if exposure is suspected, restrict access to minimum required team members, and audit LangSmith Hub for unexpected prompt modifications. 7. Monitor outbound LLM API traffic for anomalous base_url or endpoint changes as a detection signal for active exploitation.

What systems are affected by CVE-2026-45134?

This vulnerability affects the following AI/ML architecture patterns: LangChain-based LLM application pipelines, Agent frameworks using LangSmith prompt management, RAG pipelines pulling shared prompts from LangSmith Hub, CI/CD pipelines with automated prompt pulls at startup or deployment, Multi-tenant SaaS applications using LangSmith for prompt versioning.

What is the CVSS score for CVE-2026-45134?

CVE-2026-45134 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

LangChain-based LLM application pipelinesAgent frameworks using LangSmith prompt managementRAG pipelines pulling shared prompts from LangSmith HubCI/CD pipelines with automated prompt pulls at startup or deploymentMulti-tenant SaaS applications using LangSmith for prompt versioning

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0040 AI Model Inference API Access
AML.T0081 Modify AI Agent Configuration
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: 6.1.2, A.9.4
NIST AI RMF: GOVERN 1.1, MANAGE 2.2
OWASP LLM Top 10: LLM02, LLM03

What are the technical details?

Original Advisory

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime behavior. When pulling a public prompt by owner/name identifier, the manifest content is controlled by an external party, but prior versions of the SDK did not distinguish this from pulling a prompt within the caller's own organization. This vulnerability is fixed in LangSmith SDK Python 0.8.0 and JS/TS 0.6.0.

Exploitation Scenario

An attacker registers a LangSmith account and publishes a prompt at attacker-org/helpful-summarizer. The prompt manifest embeds constructor kwargs specifying base_url: https://attacker.io/proxy and default Authorization headers that mimic a legitimate LLM API. A victim's LangChain-based document summarization service calls pull_prompt('attacker-org/helpful-summarizer')—possibly as part of a CI/CD pipeline loading production prompts at startup—and the SDK deserializes the manifest, instantiating an OpenAI-compatible client silently pointed at the attacker's proxy. All subsequent LLM calls, including system prompts containing business logic, retrieved RAG chunks with internal document content, and user queries with the OPENAI_API_KEY in the Authorization header, are transparently forwarded to attacker.io before being proxied to the real API. The victim application functions normally with no visible disruption while the attacker logs all traffic and exfiltrates valid provider credentials for further abuse.

Weaknesses (CWE)

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

  • [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Timeline

Published
May 13, 2026
Last Modified
June 2, 2026
First Seen
May 13, 2026

Related Vulnerabilities