Prototype Pollution Vulnerability in LangSmith JavaScript/TypeScript SDK
CVE-2026-40190

5.6MEDIUM

Key Information:

Vendor: Langchain-ai
Status: Langsmith-sdk
Vendor: CVE Published:; 10 April 2026

🔔 Create Langchain-ai Vulnerability Alert

What is CVE-2026-40190?

The LangSmith JavaScript/TypeScript SDK, prior to version 0.5.18, has a vulnerability where its lodash utility function set() allows for incomplete protection against prototype pollution. Specifically, the baseAssignValue() function only restricts access to the proto key but does not prevent exploitation through constructor.prototype. An attacker can exploit this issue by manipulating keys in data processed by the createAnonymizer() API, resulting in pollution of Object.prototype and affecting all objects within the Node.js process. This security flaw has been addressed in SDK version 0.5.18.

Affected Version(s)

langsmith-sdk < 0.5.18

References

https://github.com/langchain-ai/langsmith-sdk/security/ad...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40190 Data

JSON