CVE-2026-25528: LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Serv...

Description

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints. When using distributed tracing, the SDK parses incoming HTTP headers via RunTree.from_headers() in Python or RunTree.fromHeaders() in Typescript. The baggage header can contain replica configurations including api_url and api_key fields. Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's post() and patch() methods send run data to all configured replica URLs, including any injected by an attacker. This vulnerability is fixed in version 0.6.3 of the Python SDK and 0.4.6 of the JavaScript SDK.

Metrics

CVSS 3.1

5.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

EPSS Probability

0.28%

19.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-918

References

https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-v34v-rq6j-cj6p

Timeline

Published: Feb 9, 2026
Last Modified: Jun 17, 2026
Status: Deferred

Frequently Asked Questions

What is CVE-2026-25528?

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints. When using distributed tracing, the SDK parses incoming HTTP headers via RunTree.from_headers() in Python or RunTree.fromHeaders() in Typescript. The baggage header can contain replica configurations including api_url and api_key fields. Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's post() and patch() methods send run data to all configured replica URLs, including any injected by an attacker. This vulnerability is fixed in version 0.6.3 of the Python SDK and 0.4.6 of the JavaScript SDK.

How severe is CVE-2026-25528?

CVE-2026-25528 has a CVSS score of 5.8/10 (MEDIUM severity). The EPSS model estimates a 0.28% probability of exploitation in the next 30 days.

How do I fix CVE-2026-25528?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.