Inclusion of Sensitive Information in Log Files in langsmith-sdk - #VU126130
Published: April 15, 2026
langsmith-sdk
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into log data in streaming token event handling when processing streaming LLM output. A remote attacker can trigger streaming output so that raw token values are recorded in new_token events to disclose sensitive information.
The issue affects both the JavaScript and Python SDK implementations, where output redaction applies to inputs and outputs fields but not to the events array.