CVE-2026-45134

Name of the Vulnerable Software and Affected Versions LangSmith SDK Python versions prior to 0.8.0 LangSmith SDK JS/TS versions prior to 0.6.0

Description The prompt pull methods pull prompt() and pull prompt commit() in Python, and pullPrompt() and pullPromptCommit() in JS/TS, fetch and deserialize prompt manifests from the LangSmith Hub. These manifests can contain serialized LangChain objects and model configurations that influence runtime behavior. When pulling a public prompt using an owner/name identifier, the content is controlled by an external party. Prior versions of the SDK did not distinguish these public prompts from those within the caller's own organization, treating them as inert data rather than executable configuration.

An attacker can publish a malicious prompt to the LangSmith Hub to affect applications that pull it. This can lead to Server-Side Request Forgery (SSRF), outbound request redirection, and interception of LLM traffic if the manifest configures an LLM client with an attacker-controlled base url or proxy. Additionally, it may allow prompt injection or behavior manipulation through attacker-controlled system messages or model parameters. The risk increases when include model is set to True, as it expands the deserialization allowlist to partner integration classes, or when secrets from env is enabled, allowing the reading of environment variables during deserialization.

Recommendations Update LangSmith SDK Python to version 0.8.0 or later. Update LangSmith SDK JS/TS to version 0.6.0 or later. As a temporary mitigation, avoid pulling public prompts by owner/name from untrusted sources. Avoid using the secrets from env parameter when pulling untrusted prompts. Prefer setting include model to false when pulling prompts from sources outside the organization.