File Access Vulnerability in LangSmith SDK by LangSmith
CVE-2026-59152

5MEDIUM

Key Information:

Vendor
CVE Published:
6 July 2026

What is CVE-2026-59152?

The LangSmith Client SDKs expose a vulnerability within the TracingMiddleware, which may allow an attacker to perform unauthorized file reads from a server's local filesystem. Prior to version 0.8.18, if an attacker is able to send an HTTP request to the server, they could trigger a read operation that uploads sensitive file contents as trace attachments to the LangSmith platform. The vulnerability persists as it can potentially be exploited without requiring user authentication, thereby enabling unauthorized users or low-privileged accounts to access sensitive data outside the intended trust boundary of the workspace. This poses significant security concerns about data integrity and confidentiality, especially for environments where workspace trace-read access is granted.

Affected Version(s)

langsmith-sdk < 0.8.18

References

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.