EXECUTIVE SUMMARY:
CVE-2026-45134 with a CVSS score of 7.1 is a deserialization of untrusted data vulnerability in LangSmith SDK, affecting applications that pull public prompts by `owner/name` identifier without independently validating their contents. The vulnerability resides in the prompt pull methods (`pull_prompt` / `pull_prompt_commit` in Python, `pullPrompt` / `pullPromptCommit` in JS/TS) of affected packages, including `pip/langsmith`, `npm/langsmith`, `pip/langchain-classic`, and `pip/langchain`, in versions prior to 0.8.0, 0.6.0, 1.0.7, and 0.3.30, respectively. An attacker can exploit this vulnerability by publishing a malicious prompt to LangSmith Hub, which, when pulled and deserialized by an application, instantiates LangChain objects with attacker-controlled constructor arguments. This can lead to server-side request forgery (SSRF), prompt injection or behavior manipulation, and additional deserialization risk. The business impact of exploiting this vulnerability is significant, as it allows attackers to control runtime behavior and disclose sensitive information, such as system prompts, retrieved context, model parameters, and provider credentials. To exploit this vulnerability, an attacker needs to have write access to the LangSmith Hub or a compromised account within the application's organization.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45134 with a CVSS score of 7.1 is a deserialization of untrusted data vulnerability in LangSmith SDK, affecting applications that pull public prompts by `owner/name` identifier without independently validating their contents. The vulnerability resides in the prompt pull methods (`pull_prompt` / `pull_prompt_commit` in Python, `pullPrompt` / `pullPromptCommit` in JS/TS) of affected packages, including `pip/langsmith`, `npm/langsmith`, `pip/langchain-classic`, and `pip/langchain`, in versions prior to 0.8.0, 0.6.0, 1.0.7, and 0.3.30, respectively. An attacker can exploit this vulnerability by publishing a malicious prompt to LangSmith Hub, which, when pulled and deserialized by an application, instantiates LangChain objects with attacker-controlled constructor arguments. This can lead to server-side request forgery (SSRF), prompt injection or behavior manipulation, and additional deserialization risk. The business impact of exploiting this vulnerability is significant, as it allows attackers to control runtime behavior and disclose sensitive information, such as system prompts, retrieved context, model parameters, and provider credentials. To exploit this vulnerability, an attacker needs to have write access to the LangSmith Hub or a compromised account within the application's organization.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-3644-q5cj-c5c7