Description
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints. When using distributed tracing, the SDK parses incoming HTTP headers via RunTree.from_headers() in Python or RunTree.fromHeaders() in Typescript. The baggage header can contain replica configurations including api_url and api_key fields. Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's post() and patch() methods send run data to all configured replica URLs, including any injected by an attacker. This vulnerability is fixed in version 0.6.3 of the Python SDK and 0.4.6 of the JavaScript SDK.
Published: 2026-02-09
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach via SSRF
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a server‑side request forgery in the LangSmith client SDK’s distributed tracing feature. An attacker can inject malicious values into the baggage HTTP header, specifically the api_url field, which the SDK parses without validation. When a traced operation completes, the SDK sends run data to all configured replica URLs. If an attacker supplies an arbitrary api_url, trace data, including potentially sensitive information, is exfiltrated to the attacker’s endpoint. This results in a confidentiality compromise of trace data.

Affected Systems

Affected products are the LangSmith client SDKs provided by langchain-ai for Python and JavaScript. Versions prior to 0.6.3 for Python and prior to 0.4.6 for JavaScript are impacted. The flaw exists in the RunTree.from_headers() (Python) and RunTree.fromHeaders() (Typescript) code used when distributed tracing is enabled.

Risk and Exploitability

The CVSS score is 5.8, indicating medium severity, while the EPSS score is less than 1%, suggesting a low probability of exploitation. It is not listed in the CISA KEV catalog. The likely attack vector is via a client that has network access to the LangSmith service; an attacker who can influence the baggage header sent to the SDK can cause it to contact arbitrary endpoints, leading to data exfiltration. Exploitation requires the SDK to be running with distributed tracing enabled and the attacker to supply a malicious api_url in the baggage header. No known workarounds are available beyond disabling distributed tracing.

Generated by OpenCVE AI on April 17, 2026 at 21:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Python SDK to version 0.6.3 or newer.
  • Upgrade the JavaScript SDK to version 0.4.6 or newer.
  • If an upgrade is not yet possible, disable distributed tracing in the SDK configuration to prevent the vulnerability from being exercised.

Generated by OpenCVE AI on April 17, 2026 at 21:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v34v-rq6j-cj6p LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection
History

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Langchain-ai
Langchain-ai langsmith-sdk
Vendors & Products Langchain-ai
Langchain-ai langsmith-sdk

Mon, 09 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints. When using distributed tracing, the SDK parses incoming HTTP headers via RunTree.from_headers() in Python or RunTree.fromHeaders() in Typescript. The baggage header can contain replica configurations including api_url and api_key fields. Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's post() and patch() methods send run data to all configured replica URLs, including any injected by an attacker. This vulnerability is fixed in version 0.6.3 of the Python SDK and 0.4.6 of the JavaScript SDK.
Title LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Langchain-ai Langsmith-sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T15:59:49.992Z

Reserved: 2026-02-02T19:59:47.373Z

Link: CVE-2026-25528

cve-icon Vulnrichment

Updated: 2026-02-10T15:39:48.719Z

cve-icon NVD

Status : Deferred

Published: 2026-02-09T21:15:48.857

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25528

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:15:27Z

Weaknesses