Miggo Security researchers have identified a critical vulnerability in LangSmith, tracked as CVE-2026-25750, that exposes users to potential token theft and complete account takeover.
As a central hub for debugging and monitoring large language model data, LangSmith processes billions of events daily, making this a high-stakes security flaw for enterprise AI environments.
The vulnerability stems from an insecure API configuration feature within LangSmith Studio. The platform uses a flexible baseUrl parameter that allows developers to direct their frontend application to fetch data from different backend APIs.
Before the patch, the application implicitly trusted this input without validating the destination domain.
This lack of validation created a severe security gap. If an authenticated LangSmith user accessed a malicious site or clicked a specially crafted link containing an attacker-controlled base URL, their browser would automatically route API requests and session credentials to the hostile server.
LangSmith Account Takeover Vulnerability
Exploiting this vulnerability does not require traditional phishing tactics where a user manually enters credentials. Instead, the attack executes silently in the background using the victim’s active session.
The sequence begins when the authenticated victim visits a malicious webpage or a legitimate site compromised by hostile JavaScript. This script then forces the browser to load a crafted LangSmith Studio URL pointing to an attacker-controlled server.
Consequently, the victim’s browser inadvertently sends its active session credentials to the malicious domain instead of the default server.
The attacker intercepts the session token and has a five-minute window to hijack the account before the token automatically expires.
An account takeover in an AI observability platform presents unique risks that extend far beyond standard unauthorized access.
Attackers gaining control of a LangSmith account can view detailed AI trace histories, which often retain raw execution data used for debugging.
Successful exploitation allows threat actors to read raw data returned from internal databases, potentially exposing proprietary source code, financial records, or sensitive customer information.
Furthermore, attackers can steal the system prompts that define the proprietary behavior and intellectual property of the organization’s AI models.
They can also hijack the account to modify project settings or delete critical observability workflows entirely.
Mitigation and Updates
LangChain patched the vulnerability by implementing a strict allowed origins policy, as reported by Miggo.
The platform now requires domains to be explicitly pre-configured as trusted origins in the account settings before they can be accepted as an API base URL. Any unauthorized base URL requests are automatically blocked.
According to the official LangSmith Security Advisory published on January 7, 2026, there is no evidence of active exploitation in the wild.
Cloud customers require no action, as the vulnerability was fully resolved on the LangSmith Cloud platform by December 15, 2025.
However, self-hosted administrators must immediately upgrade their deployments to LangSmith version 0.12.71, or Helm chart langsmith-0.12.33 and later, to ensure their environments are protected.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
