VYPR
High severity7.1GHSA Advisory· Published May 27, 2026· Updated May 29, 2026

CVE-2026-45134

CVE-2026-45134

Description

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime behavior. When pulling a public prompt by owner/name identifier, the manifest content is controlled by an external party, but prior versions of the SDK did not distinguish this from pulling a prompt within the caller's own organization. This vulnerability is fixed in LangSmith SDK Python 0.8.0 and JS/TS 0.6.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
langsmithPyPI
< 0.8.00.8.0
langsmithnpm
< 0.6.00.6.0
langchain-classicPyPI
< 1.0.71.0.7
langchainPyPI
< 0.3.300.3.30

Affected products

31

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.