CVE-2026-45134
Insecure Prompt Deserialization in LangSmith SDK
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langsmith | langsmith_sdk_python | 0.8.0 |
| langsmith | langsmith_sdk_js_ts | 0.6.0 |
| langsmith | langsmith_sdk_python | to 0.8.0 (exc) |
| langsmith | langsmith_sdk_js_ts | to 0.6.0 (exc) |
| langsmith | langsmith_sdk | 0.8.0 |
| langsmith | langsmith_sdk | 0.6.0 |
| langsmith | langsmith_sdk | From 0.6.0 (inc) to 0.8.0 (exc) |
| langsmith | langsmith_sdk | From 0.8.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to manipulate application behavior by injecting malicious configurations, potentially leading to confidentiality loss and data exfiltration.
Such unauthorized access and data leakage could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive information and ensuring data integrity.
Organizations using the affected SDK versions must enforce strict access controls and validate prompts to mitigate risks that could lead to regulatory non-compliance.
Can you explain this vulnerability to me?
The CVE-2026-45134 vulnerability affects the LangSmith SDK's prompt pull methods, which fetch and deserialize prompt manifests from the LangSmith Hub. These manifests can contain serialized LangChain objects and model configurations that influence runtime behavior.
Prior to versions Python 0.8.0 and JS/TS 0.6.0, the SDK did not distinguish between pulling prompts from trusted internal sources and public prompts controlled by external parties. This allowed attackers to publish malicious prompts that inject executable configurations, such as custom model URLs, headers, or attacker-controlled serialized objects.
As a result, attackers could manipulate application behavior by exploiting this deserialization of untrusted data, potentially causing server-side request forgery (SSRF), redirecting language model traffic, or exfiltrating sensitive data.
How can this vulnerability impact me? :
This vulnerability can lead to significant security impacts including loss of confidentiality and potential integrity issues.
- Attackers can manipulate application behavior by injecting malicious configurations.
- It can enable server-side request forgery (SSRF), allowing attackers to make unauthorized requests from the server.
- Attackers may redirect language model traffic to attacker-controlled endpoints.
- Sensitive data could be exfiltrated if prompts include secrets or environment variables.
Even prompts from the same organization pose risks if credentials are compromised, as attackers with write access could push malicious prompts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the deserialization of untrusted prompt manifests in LangSmith SDKs, which may be exploited when pulling public prompts without proper validation.
Detection involves monitoring usage of the vulnerable prompt pull methods (pull_prompt, pull_prompt_commit in Python; pullPrompt, pullPromptCommit in JS/TS) especially when fetching public prompts by owner/name identifiers.
Look for network requests or logs indicating calls to these methods pulling prompts from untrusted external sources.
- Check SDK versions in use to identify if they are below the patched versions (Python < 0.8.0, JS/TS < 0.6.0).
- Audit application logs for usage of pull_prompt or pullPrompt methods with public prompt identifiers.
- Use network monitoring tools to detect unusual outbound requests or redirects that may indicate SSRF or exfiltration attempts triggered by malicious prompt manifests.
Specific commands depend on your environment, but examples include:
- For Python environments, use package managers to check SDK version: `pip show langsmith_sdk_python`
- For JS/TS environments, check package version: `npm list langsmith_sdk_js_ts` or `yarn list langsmith_sdk_js_ts`
- Use network monitoring tools like `tcpdump` or `Wireshark` to capture and analyze traffic for suspicious requests to external prompt sources.
- Review application logs or add logging around calls to pull_prompt / pullPrompt methods to detect untrusted prompt pulls.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade the LangSmith SDKs to the patched versions: Python SDK version 0.8.0 or later, and JS/TS SDK version 0.6.0 or later.
Avoid pulling public prompts without explicit validation or opt-in, as the SDK now blocks public prompt pulls by default.
- In Python, do not set `dangerously_pull_public_prompt=True` unless absolutely necessary and you trust the prompt source.
- In JS/TS, avoid setting `dangerouslyPullPublicPrompt: true` unless you have validated the prompt source.
Enforce strict access controls within your organization to prevent unauthorized users from pushing malicious prompts.
Review and audit prompt manifests as executable configuration to detect and block malicious content.
Monitor for suspicious activity such as unexpected network requests or changes in prompt behavior that could indicate exploitation.