{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/langchain-classic/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["langsmith","langchain-classic","langchain"],"_cs_severities":["high"],"_cs_tags":["deserialization","ssrf","prompt-injection"],"_cs_type":"advisory","_cs_vendors":["LangChain"],"content_html":"\u003cp\u003eThe LangSmith SDK is susceptible to a deserialization vulnerability when fetching public prompts. Specifically, the \u003ccode\u003epull_prompt\u003c/code\u003e and \u003ccode\u003epull_prompt_commit\u003c/code\u003e methods in Python, and \u003ccode\u003epullPrompt\u003c/code\u003e and \u003ccode\u003epullPromptCommit\u003c/code\u003e in JS/TS, fetch and deserialize prompt manifests from the LangSmith Hub. These manifests can contain serialized LangChain objects and model configurations, effectively making them executable configuration. When pulling a public prompt using the \u003ccode\u003eowner/name\u003c/code\u003e identifier, the SDK doesn\u0026rsquo;t adequately distinguish this from pulling a prompt within the caller\u0026rsquo;s own organization, leading to potential security risks. An attacker publishing a malicious prompt to LangSmith Hub can affect applications that pull that prompt by \u003ccode\u003eowner/name\u003c/code\u003e. This vulnerability affects LangSmith SDK Python versions prior to 0.8.0 and JS/TS versions prior to 0.6.0, as well as langchain-classic \u0026lt; 1.0.7 and langchain \u0026lt; 0.3.30. This allows an attacker to control the behavior of applications using LangSmith.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker creates a malicious prompt manifest containing a serialized LangChain object with a modified \u003ccode\u003ebase_url\u003c/code\u003e parameter pointing to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker publishes this malicious prompt to the LangSmith Hub, making it available to the public.\u003c/li\u003e\n\u003cli\u003eA victim application calls \u003ccode\u003epull_prompt\u003c/code\u003e (Python) or \u003ccode\u003epullPrompt\u003c/code\u003e (JS/TS) using the \u003ccode\u003eowner/name\u003c/code\u003e identifier of the attacker\u0026rsquo;s malicious prompt.\u003c/li\u003e\n\u003cli\u003eThe LangSmith SDK fetches the malicious prompt manifest from the LangSmith Hub.\u003c/li\u003e\n\u003cli\u003eThe SDK deserializes the manifest, instantiating the LangChain object with the attacker-supplied \u003ccode\u003ebase_url\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim application sends requests to the configured LLM client. Due to the malicious \u003ccode\u003ebase_url\u003c/code\u003e, these requests are redirected to the attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server intercepts the redirected requests, potentially capturing prompt contents, system prompts, retrieved context, model parameters, provider credentials, or other secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information or manipulates the application\u0026rsquo;s behavior.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to severe consequences, including Server-Side Request Forgery (SSRF), where outbound requests are redirected to attacker-controlled servers, potentially exposing sensitive information. Prompt injection and behavior manipulation are also possible by embedding attacker-controlled system messages or prompt templates. The impact extends to applications using vulnerable versions of LangSmith SDK, with the potential for data breaches and unauthorized access. This vulnerability is tracked as CVE-2026-45134 and has a high severity rating.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to LangSmith SDK Python version 0.8.0 or later, or JS/TS version 0.6.0 or later, to address the vulnerability.\u003c/li\u003e\n\u003cli\u003eExplicitly acknowledge the trust boundary when pulling public prompts by passing \u003ccode\u003edangerously_pull_public_prompt=True\u003c/code\u003e (Python) or \u003ccode\u003edangerouslyPullPublicPrompt: true\u003c/code\u003e (JS/TS) to the \u003ccode\u003epull_prompt\u003c/code\u003e or \u003ccode\u003epullPrompt\u003c/code\u003e methods.\u003c/li\u003e\n\u003cli\u003eReview and validate the contents of public prompts before using them, especially those pulled using the \u003ccode\u003eowner/name\u003c/code\u003e identifier.\u003c/li\u003e\n\u003cli\u003eAvoid passing \u003ccode\u003esecrets_from_env=True\u003c/code\u003e (Python) when pulling untrusted prompts to prevent environment variable leakage during deserialization.\u003c/li\u003e\n\u003cli\u003eTreat prompts as executable configuration and apply thorough review and audit practices, especially within your own organization, as compromised API keys can lead to malicious prompt injection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LangSmith Public Prompt Pull Opt-In\u0026rdquo; to monitor for explicit opt-in to pulling public prompts, indicating a potential risk area.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T15:33:02Z","date_published":"2026-05-13T15:33:02Z","id":"https://feed.craftedsignal.io/briefs/2026-05-langsmith-deserialization/","summary":"The LangSmith SDK is vulnerable to untrusted manifest deserialization when pulling public prompts via `pull_prompt`, potentially leading to SSRF, prompt injection, or sensitive data exposure; CVE-2026-45134.","title":"LangSmith SDK Untrusted Manifest Deserialization Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-langsmith-deserialization/"}],"language":"en","title":"CraftedSignal Threat Feed — Langchain-Classic","version":"https://jsonfeed.org/version/1.1"}