Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Arbitrary server file read warrants C:H - practical targets include SSH keys, .env secrets, and TLS certs despite the PR:L workspace access gate.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 pypi packages depend on langsmith (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.8.18.
DescriptionCVE.org
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.8.18, an attacker who can send an HTTP request to a server running the LangSmith SDK's TracingMiddleware can cause that server to read an arbitrary file from its local filesystem and upload the contents to LangSmith as a trace attachment. Depending on how the distributed trace system is deployed, triggering a read may not require authentication. Retrieving the contents requires read access to the LangSmith workspace the traces are sent to. The net effect is a trust-boundary crossing: a party with workspace trace-read access (for example a low-privilege workspace member, a contractor, or a compromised teammate account) gains the ability to read files from any server running TracingMiddleware, a capability outside that workspace's intended trust boundary. This vulnerability is fixed in 0.8.18.
AnalysisAI
Path traversal in LangSmith Client SDK's TracingMiddleware (versions prior to 0.8.18) enables a trust-boundary crossing where any party with LangSmith workspace trace-read access can exfiltrate arbitrary files from servers running the middleware. An attacker sends a crafted HTTP request to a TracingMiddleware-instrumented server, causing it to read a local filesystem path and upload the contents to LangSmith as a trace attachment, which the attacker then retrieves via their workspace access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target server must be running LangSmith SDK prior to 0.8.18 with TracingMiddleware active and processing incoming HTTP requests. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 5.0 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) understates real-world impact for many deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A contractor with LangSmith workspace read access sends a crafted HTTP request to an internal microservice running TracingMiddleware, embedding a path traversal sequence targeting /run/secrets/db-password or /app/.env in a middleware-parsed field. The server reads the file and uploads its contents to LangSmith as a trace attachment. … |
| Remediation | Upgrade to LangSmith SDK version 0.8.18 or later, which resolves the path traversal per the vendor-released fix confirmed in GitHub Security Advisory GHSA-f4xh-w4cj-qxq8 (https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-f4xh-w4cj-qxq8). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Langsmith Sdk
View allSame weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41879