Critical LangSmith Vulnerability (CVE-2026-25750) Exposed AI Environments to Token Theft and Account Takeover
Researchers at Miggo Security uncovered a severe vulnerability in LangSmith, tracked as CVE-2026-25750, that could enable token theft and full account takeover in enterprise AI environments. LangSmith, a platform for debugging and monitoring large language model (LLM) data, processes billions of daily events, amplifying the potential impact of the flaw.
The vulnerability stemmed from an insecure API configuration in LangSmith Studio, where the baseUrl parameter used to direct frontend requests to backend APIs was implicitly trusted without domain validation. Attackers could exploit this by tricking authenticated users into visiting a malicious site or a compromised webpage containing a crafted link. The victim’s browser would then silently route API requests and session credentials to an attacker-controlled server, enabling session hijacking within a five-minute window before token expiration.
Exploitation did not require traditional phishing; instead, the attack executed in the background via malicious JavaScript, leveraging the victim’s active session. Once compromised, attackers could access AI trace histories, exposing raw execution data, proprietary source code, financial records, or sensitive customer information. They could also steal system prompts critical intellectual property defining AI model behavior or manipulate project settings to disrupt observability workflows.
LangChain patched the flaw by enforcing a strict allowed origins policy, requiring domains to be pre-approved in account settings. Unauthorized baseUrl requests are now automatically blocked. The vulnerability was fully resolved for LangSmith Cloud customers by December 15, 2025, with no evidence of active exploitation reported. However, self-hosted administrators must upgrade to LangSmith v0.12.71 or Helm chart langsmith-0.12.33 to secure their deployments. The official security advisory was published on January 7, 2026.
Source: https://cybersecuritynews.com/critical-langsmith-account-takeover-vulnerability/
LangChain cybersecurity rating report: https://www.rankiteo.com/company/langchain
"id": "LAN1773469421",
"linkid": "langchain",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Enterprise AI environments '
'using LangSmith',
'industry': 'Technology/AI',
'name': 'LangChain (LangSmith)',
'type': 'AI Platform Provider'}],
'attack_vector': 'Malicious JavaScript/Compromised Webpage',
'customer_advisories': 'Self-hosted administrators advised to upgrade '
'immediately; cloud customers patched by December 15, '
'2025.',
'data_breach': {'data_exfiltration': 'Possible (via session hijacking)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['AI trace histories',
'Proprietary source code',
'Financial records',
'Sensitive customer information',
'System prompts']},
'date_publicly_disclosed': '2026-01-07',
'date_resolved': '2025-12-15',
'description': 'Researchers at Miggo Security uncovered a severe '
'vulnerability in LangSmith, tracked as CVE-2026-25750, that '
'could enable token theft and full account takeover in '
'enterprise AI environments. The vulnerability stemmed from an '
'insecure API configuration in LangSmith Studio, where the '
'`baseUrl` parameter was implicitly trusted without domain '
'validation. Attackers could exploit this by tricking '
'authenticated users into visiting a malicious site or '
'compromised webpage, silently routing API requests and '
'session credentials to an attacker-controlled server.',
'impact': {'data_compromised': 'AI trace histories, raw execution data, '
'proprietary source code, financial records, '
'sensitive customer information, system '
'prompts',
'identity_theft_risk': 'High (session hijacking, account takeover)',
'operational_impact': 'Disruption of observability workflows, '
'potential manipulation of project settings',
'systems_affected': 'LangSmith (Cloud and self-hosted '
'deployments)'},
'investigation_status': 'Resolved (no evidence of active exploitation)',
'lessons_learned': 'Importance of domain validation for API parameters, '
'strict allowed origins policies, and timely patching of '
'self-hosted deployments.',
'post_incident_analysis': {'corrective_actions': 'Strict allowed origins '
'policy, patch deployment, '
'security advisory '
'publication',
'root_causes': 'Insecure API configuration '
'(implicit trust of `baseUrl` '
'parameter without domain '
'validation)'},
'recommendations': ['Upgrade to LangSmith v0.12.71 or Helm chart '
'langsmith-0.12.33 for self-hosted deployments',
'Enforce strict allowed origins policy for API requests',
'Monitor for unauthorized `baseUrl` modifications',
'Educate users on risks of malicious '
'links/JavaScript-based attacks'],
'references': [{'source': 'Miggo Security'},
{'source': 'LangChain Security Advisory'}],
'response': {'communication_strategy': 'Official security advisory published '
'on January 7, 2026',
'containment_measures': 'Enforced strict allowed origins policy '
'for `baseUrl` parameter',
'remediation_measures': 'Patch released (LangSmith v0.12.71, '
'Helm chart langsmith-0.12.33)'},
'title': 'Critical LangSmith Vulnerability (CVE-2026-25750) Exposed AI '
'Environments to Token Theft and Account Takeover',
'type': 'API Misconfiguration',
'vulnerability_exploited': 'CVE-2026-25750 (Insecure `baseUrl` parameter in '
'LangSmith Studio)'}