Description
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime behavior. When pulling a public prompt by owner/name identifier, the manifest content is controlled by an external party, but prior versions of the SDK did not distinguish this from pulling a prompt within the caller's own organization. This vulnerability is fixed in LangSmith SDK Python 0.8.0 and JS/TS 0.6.0.
Published: 2026-05-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists because the LangSmith SDK deserializes prompt manifests fetched from the LangSmith Hub without enforcing a trust boundary. These manifests can contain serialized LangChain objects and model configuration that directly influence runtime behavior. When a client pulls a public prompt, the content is chosen by an external party, but older SDK versions treated it the same as an internal organization prompt. This flaw corresponds to deserialization of untrusted data (CWE‑502) and could allow an attacker to craft a malicious prompt that, when pulled, causes unintended code execution or configuration changes during SDK runtime.

Affected Systems

LangSmith Client SDKs from langchain‑ai, specifically Python SDK versions earlier than 0.8.0 and JavaScript/TypeScript SDK versions earlier than 0.6.0, are vulnerable. All earlier releases incur the risk because they employ the insecure pullPrompt and pull_prompt methods.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity level. While no EPSS data is available, the absence of a KEV listing suggests there are no known large‑scale exploits at the time of this analysis. Exploitation requires only that a client application invokes the public prompt pull method with an attacker‑controlled prompt identifier. Because the flaw resides on the client side and does not require privileged access, the attack surface consists of any user or script that pulls public prompts from the Hub.

Generated by OpenCVE AI on May 27, 2026 at 22:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LangSmith Client SDK to Python 0.8.0 or later, or JavaScript/TypeScript 0.6.0 or later, to remove the insecure deserialization.
  • If upgrading is not immediately possible, restrict the use of pull_prompt or pullPrompt to only trusted, internally managed prompt identifiers; avoid pulling arbitrary public prompts.
  • Apply input validation or sandboxing around the deserialization step, or temporarily disable prompt pull from external sources, to guard against malicious manifests until a patch is applied.

Generated by OpenCVE AI on May 27, 2026 at 22:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3644-q5cj-c5c7 LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
History

Thu, 28 May 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Langchain-ai
Langchain-ai langsmith-sdk
Vendors & Products Langchain-ai
Langchain-ai langsmith-sdk

Wed, 27 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime behavior. When pulling a public prompt by owner/name identifier, the manifest content is controlled by an external party, but prior versions of the SDK did not distinguish this from pulling a prompt within the caller's own organization. This vulnerability is fixed in LangSmith SDK Python 0.8.0 and JS/TS 0.6.0.
Title LangSmith Client SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Langchain-ai Langsmith-sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T19:35:32.662Z

Reserved: 2026-05-08T20:08:17.209Z

Link: CVE-2026-45134

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T20:16:38.697

Modified: 2026-05-27T20:16:38.697

Link: CVE-2026-45134

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T01:45:03Z

Weaknesses