Description
Langchain Helm Charts are Helm charts for deploying Langchain applications on Kubernetes. Prior to langchain-ai/helm version 0.12.71, a URL parameter injection vulnerability existed in LangSmith Studio that could allow unauthorized access to user accounts through stolen authentication tokens. The vulnerability affected both LangSmith Cloud and self-hosted deployments. Authenticated LangSmith users who clicked on a specially crafted malicious link would have their bearer token, user ID, and workspace ID transmitted to an attacker-controlled server. With this stolen token, an attacker could impersonate the victim and access any LangSmith resources or perform any actions the user was authorized to perform within their workspace. The attack required social engineering (phishing, malicious links in emails or chat applications) to convince users to click the crafted URL. The stolen tokens expired after 5 minutes, though repeated attacks against the same user were possible if they could be convinced to click malicious links multiple times. The fix in version 0.12.71 implements validation requiring user-defined allowed origins for the baseUrl parameter, preventing tokens from being sent to unauthorized servers. No known workarounds are available. Self-hosted customers must upgrade to the patched version.
Published: 2026-03-04
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Token theft via URL parameter injection
Action: Patch Now
AI Analysis

Impact

LangSmith Studio is vulnerable to a URL parameter injection flaw that allows an attacker to embed a malicious baseUrl in a link. When an authenticated user clicks the link, the vulnerable application transmits the user's bearer token, user ID, and workspace ID to the attacker-controlled server. This leads to immediate impersonation of the victim within the affected workspace. The flaw is a classic example of input validation weakness (CWE‑74).

Affected Systems

The issue exists in deployments that use the langchain‑ai Helm charts for LangSmith on Kubernetes prior to chart version 0.12.71. Both the cloud‑based and self‑hosted instances of LangSmith Studio are impacted. The vulnerability surfaces in any hosting environment where the Helm chart version is older than the patched release.

Risk and Exploitability

The CVSS score of 8.5 classifies this as high‑severity. EPSS is below 1 %, indicating a low probability of exploitation under current conditions, and the flaw is not yet listed in the CISA KEV catalog. However, successful attacks require only social engineering to entice a user to click a crafted link, a common vector in phishing campaigns. Tokens are short‑lived, expiring after five minutes, but repeated social engineering could repeatedly harvest them. Once captured, an attacker can perform any action that the victim was authorized to execute within the workspace.

Generated by OpenCVE AI on April 16, 2026 at 13:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Helm chart to version 0.12.71 or later to apply the validation that restricts the baseUrl parameter to allowed origins.
  • In the updated Helm configuration, explicitly define the allowed origins for baseUrl to limit the destinations that can receive bearer tokens.
  • Verify that self‑hosted deployments are using the patched chart and that no old values remain in the deployment configuration.

Generated by OpenCVE AI on April 16, 2026 at 13:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Langchain
Langchain langsmith
CPEs cpe:2.3:a:langchain:langsmith:*:*:*:*:*:kubernetes:*:*
Vendors & Products Langchain
Langchain langsmith
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Langchain-ai
Langchain-ai helm
Vendors & Products Langchain-ai
Langchain-ai helm

Wed, 04 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Langchain Helm Charts are Helm charts for deploying Langchain applications on Kubernetes. Prior to langchain-ai/helm version 0.12.71, a URL parameter injection vulnerability existed in LangSmith Studio that could allow unauthorized access to user accounts through stolen authentication tokens. The vulnerability affected both LangSmith Cloud and self-hosted deployments. Authenticated LangSmith users who clicked on a specially crafted malicious link would have their bearer token, user ID, and workspace ID transmitted to an attacker-controlled server. With this stolen token, an attacker could impersonate the victim and access any LangSmith resources or perform any actions the user was authorized to perform within their workspace. The attack required social engineering (phishing, malicious links in emails or chat applications) to convince users to click the crafted URL. The stolen tokens expired after 5 minutes, though repeated attacks against the same user were possible if they could be convinced to click malicious links multiple times. The fix in version 0.12.71 implements validation requiring user-defined allowed origins for the baseUrl parameter, preventing tokens from being sent to unauthorized servers. No known workarounds are available. Self-hosted customers must upgrade to the patched version.
Title LangSmith Studio has URL Parameter Injection Vulnerability that Enables Token Theft via Malicious baseUrl
Weaknesses CWE-74
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Langchain Langsmith
Langchain-ai Helm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-05T15:42:21.213Z

Reserved: 2026-02-05T18:35:52.356Z

Link: CVE-2026-25750

cve-icon Vulnrichment

Updated: 2026-03-05T15:39:32.603Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T22:16:17.667

Modified: 2026-03-18T15:06:59.877

Link: CVE-2026-25750

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:15:06Z

Weaknesses