CVE-2026-45134 is a high-severity insecure deserialization vulnerability in langsmith (pip), affecting versions < 0.8.0. It is fixed in 0.8.0, 0.6.0, 1.0.7, 0.3.30.
Description The LangSmith SDK's prompt pull methods (pullprompt / pullpromptcommit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime behavior. When pulling a public prompt by owner/name identifier, the manifest content is controlled by an external party, but prior versions of the SDK did not distinguish this from pulling a prompt within the caller's own organization. Prompt manifests can intentionally configure a model with a custom base URL, default headers, model name, or other constructor arguments. These are supported features, but they also mean the prompt contents should be treated as executable configuration rather than plain text. A prompt can also include serialized LangChain Runnable or PromptTemplate objects with attacker-controlled constructor kwargs, or secret references that, if secretsfromenv is enabled, read environment variables at deserialization time. Applications are exposed when all of the following are true: The application calls pullprompt or pullpromptcommit (Python) or pullPrompt or pullPromptCommit (JS/TS) with a public owner/name prompt identifier. The prompt was published or modified by an untrusted or compromised account. The application uses the pulled prompt without independently validating its contents. Applications that only pull prompts from their own organization (referenced by name only, without an owner/ prefix) are not affected by the public prompt trust boundary issue described above. However, same-organization prompts carry their own risk. If an attacker gains write access to the organization (for example, through a leaked LANGSMITHAPIKEY or a compromised team member account), they can push a malicious prompt that is pulled and deserialized without any additional warning. Impact An attacker who publishes a malicious prompt to LangSmith Hub may be able to affect applications that pull that prompt by owner/name. If the prompt manifest reaches the SDK's deserialization path, the SDK will instantiate the referenced LangChain objects with the attacker-supplied constructor arguments rather than treating the manifest as inert data. Realistic impacts include: Server-side request forgery (SSRF), outbound request redirection, and interception of LLM traffic if a prompt manifest configures an LLM client with an attacker-controlled baseurl, proxy, or equivalent endpoint-setting parameter. In typical deployments, redirected requests may include prompt contents, system prompts, retrieved context, model parameters, provider credentials, or other secrets and may disclose them to the attacker-controlled endpoint. Prompt injection or behavior manipulation if a manifest embeds attacker-controlled system messages, prompt templates, or model parameters that alter the application's behavior. Additional deserialization risk when includemodel=True is passed, because this expands the allowlist to partner integration classes. This is not the default, but it materially increases risk when pulling prompts from outside the caller's organization. Remediation The LangSmith SDK now blocks pulling public prompts by owner/name by default. Callers must explicitly opt in by passing dangerouslypullpublicprompt=True (Python) or dangerouslyPullPublicPrompt: true (JS/TS) to acknowledge the trust boundary. This flag should only be set after reviewing and trusting the prompt contents, not merely the publishing account. Upgrade to LangSmith SDK Python >= 0.8.0 or JS/TS >= 0.6.0. Guidance for prompt pull methods The prompt pull methods (pullprompt / pullpromptcommit in Python, pullPrompt / pullPromptCommit in JS/TS) should be used only with trusted prompts. Do not pull public prompts by owner/name from untrusted or unreviewed sources without understanding that the manifest contents will be deserialized and may affect runtime behavior. When pulling prompts that include model configuration (includemodel=True in Python, includeModel: true in JS/TS), the deserialization allowlist expands to include partner integration classes. Because this mode is not the default and is often unnecessary for third-party prompts, prefer the default (false) when pulling prompts from sources outside your organization. Avoid passing secretsfromenv=True (Python) when pulling untrusted prompts. This parameter allows prompt manifests to read environment variables during deserialization. Only use it with trusted prompts from your own organization. Same-organization prompts Prompts pulled from the caller's own organization (referenced by name only, without an owner/ prefix) are not gated by the new dangerouslypullpublicprompt flag, but they are not inherently safe. If an attacker gains write access to the organization (for example, through a leaked LANGSMITHAPIKEY or a compromised team member account), they can push a malicious prompt that redirects LLM traffic to attacker-controlled infrastructure and may disclose any credentials attached to those requests. The security of same-organization prompts follows a shared responsibility model. The LangSmith SDK enforces trust boundaries for public prompts pulled from external accounts, but it cannot protect against compromised credentials or accounts within the caller's own organization. Securing API keys, managing team member access, and reviewing prompt contents before production deployment are the responsibility of the organization. Organizations should treat prompts as executable configuration and apply the same review and audit practices they would apply to application code. Credits First reported by @Moaaz-0x.
Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect. Typical impact: arbitrary code execution or logic abuse.
CVE-2026-45134 has a CVSS score of 7.1 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (0.8.0, 0.6.0, 1.0.7, 0.3.30). Upgrading removes the vulnerable code path.
pip
langsmith (< 0.8.0)langchain-classic (< 1.0.7)langchain (< 0.3.30)npm
langsmith (< 0.6.0)langsmith → 0.8.0 (pip)langsmith → 0.6.0 (npm)langchain-classic → 1.0.7 (pip)langchain → 0.3.30 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's Application Detection and Response identifies whether CVE-2026-45134 is reachable in your applications. Explore runtime application protection for your team.
See if CVE-2026-45134 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-45134 in your environment →Upgrade the following packages to resolve this vulnerability:
langsmith to 0.8.0 or laterlangsmith to 0.6.0 or laterlangchain-classic to 1.0.7 or laterlangchain to 0.3.30 or laterKodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-45134 is a high-severity insecure deserialization vulnerability in langsmith (pip), affecting versions < 0.8.0. It is fixed in 0.8.0, 0.6.0, 1.0.7, 0.3.30. Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect.
CVE-2026-45134 has a CVSS score of 7.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
langsmith (pip) (versions < 0.8.0)langchain-classic (pip) (versions < 1.0.7)langchain (pip) (versions < 0.3.30)Yes. CVE-2026-45134 is fixed in 0.8.0, 0.6.0, 1.0.7, 0.3.30. Upgrade to this version or later.
Whether CVE-2026-45134 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
langsmith to 0.8.0 or laterlangsmith to 0.6.0 or laterlangchain-classic to 1.0.7 or laterlangchain to 0.3.30 or later