Skip to main content

LangSmith SDK EUVDEUVD-2026-25152

| CVE-2026-41182 MEDIUM
Information Exposure (CWE-200)
2026-04-23 GitHub_M
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 29, 2026 - 20:46 nvd
Patch available
Analysis Generated
Apr 23, 2026 - 07:07 vuln.today
Patch available
Apr 23, 2026 - 06:16 EUVD
EUVD ID Assigned
Apr 23, 2026 - 01:15 euvd
EUVD-2026-25152
Analysis Generated
Apr 23, 2026 - 01:15 vuln.today
CVE Published
Apr 23, 2026 - 00:14 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 npm packages depend on langsmith (5 direct, 2 indirect)

Ecosystem-wide dependent count for version 0.5.19.

DescriptionGitHub Advisory

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK, the LangSmith SDK's output redaction controls (hideOutputs in JS, hide_outputs in Python) do not apply to streaming token events. When an LLM run produces streaming output, each chunk is recorded as a new_token event containing the raw token value. These events bypass the redaction pipeline entirely - prepareRunCreateOrUpdateInputs (JS) and _hide_run_outputs (Python) only process the inputs and outputs fields on a run, never the events array. As a result, applications relying on output redaction to prevent sensitive LLM output from being stored in LangSmith will still leak the full streamed content via run events. Version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK fix the issue.

AnalysisAI

LangSmith Client SDKs in JavaScript (prior to 0.5.19) and Python (prior to 0.7.31) fail to apply output redaction controls to streaming token events, allowing sensitive LLM-generated content to leak into LangSmith platform storage despite hideOutputs/hide_outputs being enabled. Unauthenticated remote attackers can intercept or access unredacted streamed tokens if they gain visibility into run events, bypassing the intended confidentiality controls.

Technical ContextAI

The LangSmith SDKs implement output redaction through prepareRunCreateOrUpdateInputs (JavaScript) and _hide_run_outputs (Python) functions that sanitize the inputs and outputs fields on run objects before transmission to the LangSmith platform. However, when an LLM generates streaming output (common in modern LLM integrations), each token chunk is recorded as a separate new_token event appended to the events array within the run object. The redaction pipeline processes only the top-level inputs and outputs fields and completely bypasses the events array, causing raw token values to persist unredacted. This is fundamentally an information disclosure flaw (CWE-200) where trust boundaries fail - applications assume redaction applies uniformly across all output channels, but the streaming event path operates outside the redaction mechanism. The vulnerability affects the langsmith-sdk package across its Python and JavaScript implementations.

RemediationAI

Vendor-released patch: Upgrade to LangSmith JavaScript SDK version 0.5.19 or later, and Python SDK version 0.7.31 or later. Both versions restore redaction coverage to the events array, ensuring new_token events are processed through the redaction pipeline. Organizations should apply these upgrades immediately if they rely on the hideOutputs (JavaScript) or hide_outputs (Python) feature for compliance or data protection. No workarounds are available short of patching - disabling streaming integrations entirely would preserve redaction guarantees but is not practical for production LLM applications. Interim mitigations include restricting LangSmith workspace access via IAM, encrypting network traffic between SDK and LangSmith platform with TLS, and monitoring LangSmith workspace access logs for unexpected data access. See GitHub security advisory GHSA-rr7j-v2q5-chgv for detailed patch notes.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-25152 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy