CVE-2026-45134
Server-side request forgery vulnerability in langsmith (PyPI)

Server-side request forgery No known exploit

What is CVE-2026-45134 About?

This vulnerability in the LangSmith SDK allows attackers to execute arbitrary code or manipulate model behavior via malicious prompt manifests. Successful exploitation can lead to server-side request forgery, data exfiltration, or prompt injection. Exploitation is relatively easy if an attacker can publish a malicious prompt or compromise an organization's account.

Affected Software

  • langsmith
    • <0.8.0
    • <0.6.0
  • langchain-classic
    • <1.0.7
  • langchain
    • <0.3.30

Technical Details

The LangSmith SDK's prompt pull methods (pull_prompt/pullPrompt) deserialize prompt manifests from the LangSmith Hub. These manifests can contain serialized LangChain objects and model configurations that are treated as executable configuration, not inert text. An attacker can craft a malicious prompt manifest with attacker-controlled constructor arguments for Runnable or PromptTemplate objects, or configure a model with a custom base_url, proxy, or secrets_from_env enabled. When an application pulls such a public prompt by owner/name (or a compromised intra-organizational prompt), the SDK deserializes and instantiates these objects, allowing the attacker to redirect LLM traffic, disclose sensitive data, or embed malicious instructions that alter the application's behavior. The vulnerability arises from an insufficient trust boundary when pulling public prompts and a lack of validation of the deserialized content.

What is the Impact of CVE-2026-45134?

Successful exploitation may allow attackers to perform server-side request forgery (SSRF), redirect outbound LLM traffic to attacker-controlled endpoints, intercept sensitive data like prompt contents or credentials, or manipulate application behavior through prompt injection.

What is the Exploitability of CVE-2026-45134?

Exploitation can be moderately complex, requiring the attacker to either publish a malicious prompt to the LangSmith Hub or gain write access to the victim's organization. No authentication to the target application is required for public prompt exploitation, but an attacker needs to publish the malicious prompt to the LangSmith Hub. Privilege requirements involve either control over a public LangSmith Hub account or unauthorized access to an organization's LANGSMITH_API_KEY or a team member account. The exploit is primarily remote, as the attacker influences the content pulled by the target application. Special conditions include the application using pull_prompt with a public owner/name identifier or pulling a compromised intra-organizational prompt, and failing to validate its contents. The likelihood increases if applications frequently integrate public prompts without review or if API keys are poorly protected.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-45134?

Available Upgrade Options

  • langsmith
    • <0.6.0 → Upgrade to 0.6.0
  • langchain
    • <0.3.30 → Upgrade to 0.3.30
  • langchain-classic
    • <1.0.7 → Upgrade to 1.0.7

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-45134?

Similar Vulnerabilities: CVE-2024-21626 , CVE-2023-46797 , CVE-2023-38545 , CVE-2023-37905 , CVE-2023-28432

All Rights reserved 2025
Privacy Policy