Security researchers from Miggo have uncovered a significant vulnerability in LangSmith, labeled CVE-2026-25750, which poses a risk of token theft and potential account takeover. LangSmith, a platform central to debugging and monitoring large language model data, handles billions of daily events, making this flaw particularly concerning for enterprise AI systems.
Details of the Vulnerability
The issue arises from an insecure API configuration within LangSmith Studio. This vulnerability leverages a flexible baseUrl parameter, allowing developers to direct data retrieval from various backend APIs. Prior to a recent patch, the application did not validate the destination domain, trusting the input implicitly.
This oversight resulted in a critical security gap. Authenticated LangSmith users who accessed malicious sites or clicked crafted links risked having their API requests and session credentials redirected to an attacker-controlled server.
Exploitation Mechanism
Exploiting the vulnerability does not require traditional phishing methods. Instead, it operates silently, utilizing the victim’s active session. The attack sequence begins when a user visits a compromised webpage, triggering a script that reroutes the browser to an attacker-controlled LangSmith Studio URL.
This redirection causes the browser to send its active session credentials to a malicious domain, providing attackers a brief window to hijack the account before the token expires in five minutes.
Consequences and Mitigation
Account takeovers in AI observability platforms present significant risks. Attackers could access detailed AI trace histories, potentially revealing proprietary data, source code, or sensitive financial information. They might also alter project settings or delete critical workflows.
LangChain has addressed the vulnerability by enforcing a strict allowed origins policy. Domains must be pre-approved in account settings to be accepted as API base URLs, with unauthorized requests now automatically blocked.
According to the LangSmith Security Advisory on January 7, 2026, there is no evidence of active exploitation. While cloud customers need not take action, self-hosted administrators must upgrade to LangSmith version 0.12.71 or Helm chart langsmith-0.12.33 to secure their environments.
