SSRF in Langchain-ai Langsmith-sdk
CVE-2026-25528
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_…
Vulnerability class: SSRF (Server-Side Request Forgery)
EPSS: 0.000 (2.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.8 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N.
Affected products
- Langchain-ai Langsmith-sdk — versions >= 0.4.10, <0.6.3
Weakness classification (CWE)
References
- https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-v34v-rq6j-cj6p (x_refsource_CONFIRM)
Frequently asked questions
- What is CVE-2026-25528?
- CVE-2026-25528 is a medium-severity vulnerability in Langchain-ai Langsmith-sdk, classified under Server-Side Request Forgery (SSRF). CVSS score: 5.8/10. Published 2026-02-09.
- How severe is CVE-2026-25528?
- Medium severity. CVSS v3 base score is 5.8 out of 10.