PT-2026-55945 · Langchain · Langsmith Client Sdks
Ryu7Zz
·
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-59152
CVSS v3.1
5.0
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
LangSmith Client SDKs versions prior to 0.8.18
Description
An issue exists in the
TracingMiddleware where an attacker can send an HTTP request to a server to force the reading of an arbitrary file from the local filesystem. The contents of the file are then uploaded to LangSmith as a trace attachment. Depending on the deployment of the distributed trace system, triggering this read may not require authentication. However, retrieving the uploaded content requires read access to the LangSmith workspace. This allows a user with low-privilege workspace access to read files from any server running the middleware, crossing the intended trust boundary.Recommendations
Update LangSmith Client SDKs to version 0.8.18.
Fix
Type Confusion
Path traversal
Origin Validation Error
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Langsmith Client Sdks