Critical LangSmith Vulnerability Allows Account Takeover
Key Takeaways A critical vulnerability, CVE-2026-25750, was discovered in LangSmith, a platform for monitoring large language model data. The flaw could enable account takeover and token theft due to...
Key Takeaways
- A critical vulnerability, CVE-2026-25750, was discovered in LangSmith, a platform for monitoring large language model data.
- The flaw could enable account takeover and token theft due to an insecure API configuration that failed to validate the
baseUrlparameter. - Successful exploitation could expose sensitive AI trace histories, proprietary source code, financial data, customer information, and AI model system prompts.
- LangChain has issued a patch, implementing a strict allowed origins policy to validate API base URLs.
- Cloud users are already protected, while self-hosted administrators must update to LangSmith version 0.12.71 or Helm chart langsmith-0.12.33 or later.
Cybersecurity researchers at Miggo Security have uncovered a severe vulnerability in LangSmith, an essential platform for debugging and monitoring large language model (LLM) data. Designated as CVE-2026-25750, this critical flaw could allow attackers to steal user tokens and achieve complete account takeover, posing significant risks to enterprise AI environments that process billions of events daily.
Table Of Content
Technical Breakdown of the Vulnerability
The core of the vulnerability lies within LangSmith Studio’s API configuration, specifically its handling of the baseUrl parameter. This parameter is designed to offer developers flexibility, enabling their frontend applications to retrieve data from various backend APIs. However, prior to the patch, the system implicitly trusted the input provided via this parameter without performing crucial validation of the destination domain.
This absence of validation created a critical security loophole. An authenticated LangSmith user who visited a malicious website or clicked a specially crafted link containing an attacker-controlled base URL could inadvertently direct their browser to send API requests and active session credentials to a hostile server. This silent redirection bypasses the need for traditional phishing, where users manually input their credentials.
The Account Takeover Attack Chain
The exploitation process for this vulnerability does not rely on users actively submitting credentials. Instead, it leverages the victim’s existing authenticated session. The attack unfolds when an authenticated victim navigates to a malicious webpage or a legitimate site compromised with malicious JavaScript. This script then forces the victim’s browser to load a manipulated LangSmith Studio URL, which points to an attacker-controlled server.
As a result, the victim’s browser unknowingly transmits its active session credentials to the malicious domain rather than the legitimate LangSmith server. The attacker can then intercept this session token. Miggo researchers noted that the attacker has a five-minute window to hijack the account before the session token automatically expires. The visual diagram illustrates the end-to-end flow of the Account Takeover attack (Source: Miggo).
Broader Implications of an AI Platform Compromise
An account takeover within an AI observability platform like LangSmith carries unique and potentially far-reaching consequences beyond typical unauthorized access. Attackers who gain control of a LangSmith account can access detailed AI trace histories, which often contain raw execution data crucial for debugging.
Successful exploitation could expose highly sensitive information, including raw data returned from internal databases, proprietary source code, confidential financial records, or private customer data. Furthermore, threat actors could steal system prompts, which are integral to defining the proprietary behavior and intellectual property embedded within an organization’s AI models. Attackers could also modify project settings or delete critical observability workflows, disrupting operations and intellectual property.
Mitigation and Updates
LangChain has addressed the vulnerability by implementing a stringent allowed origins policy, as detailed in a report by Miggo. The platform now mandates that domains must be explicitly pre-configured as trusted origins within account settings before they can be accepted as an API base URL. Any requests originating from unauthorized base URLs are automatically blocked.
According to the official LangSmith Security Advisory, published on January 7, 2026, there is currently no evidence of this vulnerability being actively exploited in the wild. Cloud customers of LangSmith are already protected, as the vulnerability was fully resolved on the LangSmith Cloud platform by December 15, 2025. However, administrators managing self-hosted LangSmith deployments must take immediate action to secure their environments.
What You Should Do
- For Self-Hosted LangSmith Administrators: Immediately upgrade your deployments to LangSmith version 0.12.71, or Helm chart langsmith-0.12.33, or later versions.
- For Cloud LangSmith Users: No immediate action is required, as the LangSmith Cloud platform was patched by December 15, 2025.
- Implement General Security Best Practices: Encourage users to exercise caution when clicking on unfamiliar links or visiting untrusted websites, even though this attack does not require manual credential entry.
- Monitor for Suspicious Activity: Regularly review audit logs and activity within your LangSmith accounts for any unusual or unauthorized changes.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.