Vendor

LangChain

2 briefs RSS

LangSmith SDK Untrusted Manifest Deserialization Vulnerability

The LangSmith SDK is vulnerable to untrusted manifest deserialization when pulling public prompts via `pull_prompt`, potentially leading to SSRF, prompt injection, or sensitive data exposure; CVE-2026-45134.

langsmith +2 deserialization ssrf prompt-injection

2r 3t May 13, 2026

high advisory

LangChain Unsafe Deserialization Vulnerability

2 rules 1 TTP

LangChain is vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists, potentially leading to persistent chat-history poisoning, prompt injection, credential disclosure, or server-side requests.

langchain-core langchain deserialization vulnerability

2r 1t Jan 4, 2024