Critical LangSmith Vulnerability Enables Complete Account Takeover

Miggo Security researchers have discovered a critical vulnerability (CVE-2026-25750) in LangSmith, a leading AI observability platform used by enterprises to monitor and debug their Large Language Models (LLMs).

LangSmith processes nearly one billion events daily, making it a central hub for corporate AI data. This newly disclosed flaw exposed authenticated users to token theft and complete account takeover.

Because the platform sits at the intersection of application logic and data, a compromised account could leak highly sensitive information, including internal SQL queries, customer records, and proprietary source code.

The Core Vulnerability

LangSmith Studio includes a flexible API configuration feature that allows developers to specify a target backend API using a baseUrl parameter.

Before the patch, the application implicitly trusted this input and failed to validate the destination domain.

A user already logged into LangSmith could be compromised simply by visiting an attacker-controlled website or inadvertently executing hostile JavaScript.

The attacker’s site would secretly load a crafted LangSmith URL that points to a malicious base URL.

Instead of communicating with the legitimate server, the victim’s browser would be tricked into sending their active session credentials directly to the attacker’s domain.

Unlike traditional phishing, this attack does not require the victim to enter their username or password, as the exploit occurs automatically in the background.

Once the attacker intercepts the session token, they have a five-minute window to impersonate the victim and hijack the LangSmith account.

This grants the attacker severe levels of access to the organization’s core AI logic. Successful exploitation allows an attacker to perform several critical actions:

• Exfiltrate raw data returned from internal databases and APIs, including Personally Identifiable Information (PII), Protected Health Information (PHI), and financial records.
• Steal system prompts and access the proprietary intellectual property that dictates the AI’s behavior.
• Hijack the account to alter project settings or completely delete AI projects.

Patch Details and Mitigation

Following responsible disclosure by Miggo Security on December 1, 2025, LangChain developed a centralized fix by implementing a strict Allowed Origins policy.

The target domain must now be explicitly pre-configured as a trusted origin in the user’s account settings, neutralizing the unauthorized base URL attack entirely.

LangChain’s official security advisory, published on January 7, 2026, confirmed that no active exploitation has been observed in the wild.

To secure environments, organizations must verify their deployment status:

• Cloud customers require no action, as LangChain universally patched the SaaS platform on December 15, 2025.
• Self-hosted administrators must immediately upgrade LangSmith to version 0.12.71 or Helm chart langsmith-0.12.33, both released on December 20, 2025.
• Security teams should routinely ensure sensitive data is sanitized before it reaches the AI monitoring layer to limit exposure in the event of potential infrastructure breaches.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Critical LangSmith Vulnerability Enables Complete Account Takeover appeared first on Cyber Security News.