CVE-2026-41182

Name of the Vulnerable Software and Affected Versions LangSmith JavaScript SDK versions prior to 0.5.19 LangSmith Python SDK versions prior to 0.7.31

Description Output redaction controls do not apply to streaming token events. When a Large Language Model run produces streaming output, each chunk is recorded as a new token event containing the raw token value, which bypasses the redaction pipeline. Specifically, the functions prepareRunCreateOrUpdateInputs() in JavaScript and hide run outputs() in Python only process the inputs and outputs fields on a run and ignore the events array. Consequently, applications using the hideOutputs variable in JavaScript or the hide outputs variable in Python to prevent sensitive data from being stored in LangSmith will still leak full streamed content via run events.

Recommendations Update JavaScript SDK to version 0.5.19. Update Python SDK to version 0.7.31.