HarborGuard / CVE
Back to search
HIGHCVE-2026-45134Published Modified CNA GitHub_M

CVE-2026-45134: LangSmith Client SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime behavior. When pulling a public prompt by owner/name identifier, the manifest content is controlled by an external party, but prior versions of the SDK did not distinguish this from pulling a prompt within the caller's own organization. This vulnerability is fixed in LangSmith SDK Python 0.8.0 and JS/TS 0.6.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an untrusted deserialization vulnerability in the LangSmith Client SDK (Python and JS/TS). When an application calls the prompt-pull methods to fetch a public prompt by owner/name identifier, the SDK fetches and deserializes a manifest from the LangSmith Hub that is controlled by an external party, with no warning or trust boundary check. Successful exploitation allows a malicious prompt author to expose sensitive runtime data and tamper with model configuration or behavior in the consuming application. Fix versions (Python 0.8.0 and JS/TS 0.6.0) have been published upstream; a patched-image rebuild at those versions is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-45134 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all scanned container images, including custom-built images that bundle the LangSmith SDK. Any image carrying a vulnerable version of langsmith-sdk (Python below 0.8.0 or JS/TS below 0.6.0) is flagged immediately.

Available
Triage

HarborGuard scores this vulnerability at CVSS 7.1 HIGH and is capable of weighting that score against each customer environment's compliance policy to prioritize accordingly. Findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at Python 0.8.0 and JS/TS 0.6.0 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a PR against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must serve a malicious prompt manifest over the network via the LangSmith Hub, reachable because the SDK fetches manifests from a remote endpoint.

  • AuthenticationNot required

    No authentication is needed; public prompts on the LangSmith Hub can be authored and served by any external party without the victim holding any relationship with that account.

  • Victim interactionRequired

    A developer or automated pipeline must call pull_prompt, pull_prompt_commit, pullPrompt, or pullPromptCommit referencing the attacker-controlled public prompt, making this a social-engineering or supply-chain confusion vector.

  • Attack complexityDetail

    Exploit is reliable and condition-free once the victim pulls the malicious prompt; no race condition or special memory layout is required.

Blast Radius

  • Reads sensitive runtime data accessible to the application process, such as API keys, environment variables, or intermediate model outputs passed through the LangChain object graph.
  • Modifies model configuration embedded in the deserialized manifest, altering the behavior of LLM calls made by the consuming application without the developer's knowledge.
  • Does not directly crash the service; availability impact is rated None in the CVSS scoring.

How HarborGuard Handles This

Available on HarborGuard: images containing langsmith-sdk Python below 0.8.0 or JS/TS below 0.6.0 are detectable immediately upon CVE ingestion. For customers who opt into auto-remediation, HarborGuard can rebuild affected images at the patched versions, run regression tests, and open a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with CVSS 7.1 HIGH severity so teams can act manually. As a compensating control while upgrades are being scheduled, consider restricting which prompt identifiers are permitted in production pipelines (for example, via an allowlist of trusted org-owned prompts) and applying egress filtering to block SDK calls to LangSmith Hub endpoints from sensitive runtime environments.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • langchain-ai / langsmith-sdk
    < 0.8.0 · < 0.6.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
References