Description
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK, the LangSmith SDK's output redaction controls (hideOutputs in JS, hide_outputs in Python) do not apply to streaming token events. When an LLM run produces streaming output, each chunk is recorded as a new_token event containing the raw token value. These events bypass the redaction pipeline entirely — prepareRunCreateOrUpdateInputs (JS) and _hide_run_outputs (Python) only process the inputs and outputs fields on a run, never the events array. As a result, applications relying on output redaction to prevent sensitive LLM output from being stored in LangSmith will still leak the full streamed content via run events. Version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK fix the issue.
Published: 2026-04-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure via unredacted streamed tokens
Action: Patch SDK
AI Analysis

Impact

The vulnerability causes the LangSmith SDK’s output redaction settings—hideOutputs in JavaScript and hide_outputs in Python—to be ignored for streaming token events. When an LLM run produces output in a streaming fashion, each chunk is emitted as a new_token event that carries the raw token value. These events are recorded on the run without passing through the SDK’s redaction pipeline, so any sensitive text generated by the model is stored in LangSmith as part of the run events.

Affected Systems

The affected products are the LangSmith SDK for JavaScript (prior to version 0.5.19) and the LangSmith SDK for Python (prior to version 0.7.31) published by langchain‑ai. Applications that rely on the SDK’s output‑redaction controls and use streaming output will be impacted unless they are updated to the specified patched releases.

Risk and Exploitability

The CVSS base score is 5.3, indicating a moderate risk, but the EPSS score of < 1% shows that the likelihood of exploitation is very low at present, and the vulnerability is not listed in CISA’s KEV catalog. The most likely attack vector is an application or service that consumes the SDK to run a language model and is configured to capture streaming outputs. An attacker could feed the application a prompt that triggers streaming of sensitive data, thereby causing the raw token events to be logged in LangSmith without redaction. The impact is purely information disclosure; there is no privilege escalation or denial of service.

Generated by OpenCVE AI on April 28, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JavaScript SDK to version 0.5.19 or later
  • Upgrade the Python SDK to version 0.7.31 or later
  • Configure the SDK’s hideOutputs/hide_outputs option to ensure all streaming output passes through the redaction pipeline even when token events are emitted
  • Disable or sanitize logging of raw token events to prevent accidental exposure (addressing CWE‑532)
  • Verify that no hard‑coded secrets or credentials are present in the token streams before sending them to the model, and remove or mask them if they are found (addressing CWE‑359)

Generated by OpenCVE AI on April 28, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rr7j-v2q5-chgv LangSmith SDK: Streaming token events bypass output redaction
History

Tue, 28 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Langchain-ai
Langchain-ai langsmith-sdk
Vendors & Products Langchain-ai
Langchain-ai langsmith-sdk

Thu, 23 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK, the LangSmith SDK's output redaction controls (hideOutputs in JS, hide_outputs in Python) do not apply to streaming token events. When an LLM run produces streaming output, each chunk is recorded as a new_token event containing the raw token value. These events bypass the redaction pipeline entirely — prepareRunCreateOrUpdateInputs (JS) and _hide_run_outputs (Python) only process the inputs and outputs fields on a run, never the events array. As a result, applications relying on output redaction to prevent sensitive LLM output from being stored in LangSmith will still leak the full streamed content via run events. Version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK fix the issue.
Title LangSmith SDK: Streaming token events bypass output redaction
Weaknesses CWE-200
CWE-359
CWE-532
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Langchain-ai Langsmith-sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T16:23:39.037Z

Reserved: 2026-04-17T16:34:45.526Z

Link: CVE-2026-41182

cve-icon Vulnrichment

Updated: 2026-04-23T14:22:13.647Z

cve-icon NVD

Status : Deferred

Published: 2026-04-23T02:16:16.123

Modified: 2026-04-29T20:46:33.890

Link: CVE-2026-41182

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:45:16Z

Weaknesses