Main Vulnerability Database Vulnerabilities #VU126130

#VU126130 Inclusion of Sensitive Information in Log Files in langsmith-sdk

Published: April 15, 2026

Vulnerability identifier: #VU126130

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-532

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
langsmith-sdk

Software vendor:
LangChain

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to insertion of sensitive information into log data in streaming token event handling when processing streaming LLM output. A remote attacker can trigger streaming output so that raw token values are recorded in new_token events to disclose sensitive information.

The issue affects both the JavaScript and Python SDK implementations, where output redaction applies to inputs and outputs fields but not to the events array.

Remediation

Install security update from vendor's website.

External links

https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-rr7j-v2q5-chgv

#VU126130 Inclusion of Sensitive Information in Log Files in langsmith-sdk

Description

Remediation

External links

Please verify you're human