File Access Vulnerability in LangSmith SDK by LangSmith
CVE-2026-59152
What is CVE-2026-59152?
The LangSmith Client SDKs expose a vulnerability within the TracingMiddleware, which may allow an attacker to perform unauthorized file reads from a server's local filesystem. Prior to version 0.8.18, if an attacker is able to send an HTTP request to the server, they could trigger a read operation that uploads sensitive file contents as trace attachments to the LangSmith platform. The vulnerability persists as it can potentially be exploited without requiring user authentication, thereby enabling unauthorized users or low-privileged accounts to access sensitive data outside the intended trust boundary of the workspace. This poses significant security concerns about data integrity and confidentiality, especially for environments where workspace trace-read access is granted.
Affected Version(s)
langsmith-sdk < 0.8.18
