PatchSiren cyber security CVE debrief
CVE-2026-45134 langchain-ai CVE debrief
LangSmith Client SDKs prior to Python 0.8.0 and JS/TS 0.6.0 fail to distinguish between prompts owned by the caller's organization and public prompts owned by external parties when using prompt pull methods (pull_prompt/pull_prompt_commit in Python; pullPrompt/pullPromptCommit in JS/TS). These methods fetch and deserialize prompt manifests from the LangSmith Hub, which may contain serialized LangChain objects and model configuration that affect runtime behavior. Because public prompt manifests are controlled by external parties, this creates a deserialization trust boundary violation where untrusted content is processed with the same privileges as internal organizational prompts. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) with a CVSS 3.1 score of 7.1 (HIGH). The issue was published on 2026-05-27.
- Vendor
- langchain-ai
- Product
- langsmith-sdk
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations using LangSmith SDK Python versions prior to 0.8.0 or JS/TS versions prior to 0.6.0 to pull prompts from the LangSmith Hub, particularly those that may consume public prompts from external owners. Development teams building applications with LangChain that integrate LangSmith prompt management functionality. Security teams assessing supply chain risks in AI/ML SDK dependencies.
Technical summary
The LangSmith SDK's prompt pull methods deserialize manifest content without verifying ownership boundaries between organizational and public prompts. When pulling a public prompt by owner/name identifier, the manifest content—including serialized LangChain objects and model configuration—is controlled by an external party but processed with equivalent trust to internal prompts. This deserialization of untrusted data (CWE-502) could allow manifest authors to influence runtime behavior of applications consuming their public prompts. The vulnerability requires user interaction to trigger (e.g., application code calling pull methods with an external prompt identifier), but requires no privileges and has low attack complexity.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade LangSmith SDK to Python 0.8.0 or later, or JS/TS 0.6.0 or later
- Review application code for uses of pull_prompt, pull_prompt_commit, pullPrompt, or pullPromptCommit methods
- Audit pulled prompts to identify any that originated from external/public owners
- Implement additional validation or sandboxing for deserialized prompt manifests where upgrade is not immediately feasible
- Monitor LangSmith Hub usage for unexpected prompt sources in application logs
Evidence notes
CVE description confirms the vulnerability exists in LangSmith SDK Python versions prior to 0.8.0 and JS/TS versions prior to 0.6.0. The GitHub Security Advisory (GHSA-3644-q5cj-c5c7) is cited as the primary source reference. CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N indicates network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, high confidentiality impact, low integrity impact, and no availability impact.
Official resources
-
CVE-2026-45134 CVE record
CVE.org
-
CVE-2026-45134 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27