PT-2026-55945 · Langchain · Langsmith Client Sdks

Ryu7Zz

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-59152

CVSS v3.1

5.0

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Name of the Vulnerable Software and Affected Versions LangSmith Client SDKs versions prior to 0.8.18
Description An issue exists in the TracingMiddleware where an attacker can send an HTTP request to a server to force the reading of an arbitrary file from the local filesystem. The contents of the file are then uploaded to LangSmith as a trace attachment. Depending on the deployment of the distributed trace system, triggering this read may not require authentication. However, retrieving the uploaded content requires read access to the LangSmith workspace. This allows a user with low-privilege workspace access to read files from any server running the middleware, crossing the intended trust boundary.
Recommendations Update LangSmith Client SDKs to version 0.8.18.

Fix

Type Confusion

Path traversal

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59152

Affected Products

Langsmith Client Sdks