What is CVE-2026-40190?

CVE-2026-40190 is a medium-severity vulnerability in Langchain-ai Langsmith-sdk, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 5.6/10. Published 2026-04-10.

How severe is CVE-2026-40190?

Medium severity. CVSS v3 base score is 5.6 out of 10.

Prototype Pollution in Langchain-ai Langsmith-sdk

CVE-2026-40190

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() ut…

Vulnerability class: Prototype Pollution

EPSS: 0.000 (4.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.6 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L.

Affected products

Langchain-ai Langsmith-sdk — versions < 0.5.18

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

References

security-advisories@github.com (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-40190?: CVE-2026-40190 is a medium-severity vulnerability in Langchain-ai Langsmith-sdk, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 5.6/10. Published 2026-04-10.
How severe is CVE-2026-40190?: Medium severity. CVSS v3 base score is 5.6 out of 10.