Inclusion of Sensitive Information in Log Files in langsmith-sdk - #VU126130

 

Inclusion of Sensitive Information in Log Files in langsmith-sdk - #VU126130

Published: April 15, 2026


Vulnerability identifier: #VU126130
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-532
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: LangChain
Affected software:
langsmith-sdk

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to insertion of sensitive information into log data in streaming token event handling when processing streaming LLM output. A remote attacker can trigger streaming output so that raw token values are recorded in new_token events to disclose sensitive information.

The issue affects both the JavaScript and Python SDK implementations, where output redaction applies to inputs and outputs fields but not to the events array.


Remediation

Install security update from vendor's website.

Sources