CVE-2026-25750

High

Published: 04 March 2026

Published

04 March 2026

Modified

18 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0004 13.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25750 is a high-severity Injection (CWE-74) vulnerability in Langchain Langsmith. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Spearphishing Link (T1566.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates URL parameter injection by requiring validation and neutralization of special elements in inputs like the baseUrl parameter to prevent authentication token exfiltration.

SI-2 Flaw Remediation good match

prevent

Ensures timely flaw remediation through patching to version 0.12.71, which adds origin validation for baseUrl to block unauthorized token transmission.

AC-4 Information Flow Enforcement partial match

prevent

Enforces approved information flows to restrict transmission of sensitive data like bearer tokens to only authorized origins or destinations.

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

attack.mitre.org →

T1528 Steal Application Access Token Credential Access

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

attack.mitre.org →

Why these techniques?

URL parameter injection enables crafting malicious links for spearphishing (T1566.002) that leak bearer tokens to attacker servers, directly facilitating theft of application access tokens (T1528) for impersonation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Langchain Helm Charts are Helm charts for deploying Langchain applications on Kubernetes. Prior to langchain-ai/helm version 0.12.71, a URL parameter injection vulnerability existed in LangSmith Studio that could allow unauthorized access to user accounts through stolen authentication tokens. The vulnerability…

affected both LangSmith Cloud and self-hosted deployments. Authenticated LangSmith users who clicked on a specially crafted malicious link would have their bearer token, user ID, and workspace ID transmitted to an attacker-controlled server. With this stolen token, an attacker could impersonate the victim and access any LangSmith resources or perform any actions the user was authorized to perform within their workspace. The attack required social engineering (phishing, malicious links in emails or chat applications) to convince users to click the crafted URL. The stolen tokens expired after 5 minutes, though repeated attacks against the same user were possible if they could be convinced to click malicious links multiple times. The fix in version 0.12.71 implements validation requiring user-defined allowed origins for the baseUrl parameter, preventing tokens from being sent to unauthorized servers. No known workarounds are available. Self-hosted customers must upgrade to the patched version.

Deeper analysisAI

CVE-2026-25750 is a URL parameter injection vulnerability in LangSmith Studio, part of the Langchain Helm Charts used for deploying Langchain applications on Kubernetes. The issue affects versions prior to langchain-ai/helm 0.12.71 and impacts both LangSmith Cloud and self-hosted deployments. It has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command).

The vulnerability enables exploitation through social engineering, where an attacker crafts a malicious link that an authenticated LangSmith user clicks, such as via phishing emails or chat applications. This action transmits the victim's bearer token, user ID, and workspace ID to an attacker-controlled server. With the stolen token, the attacker can impersonate the user, accessing any LangSmith resources or performing actions authorized within the victim's workspace. Tokens expire after 5 minutes, but repeated attacks are feasible if the user can be tricked into clicking additional links.

According to the advisory at https://github.com/langchain-ai/helm/security/advisories/GHSA-r8wq-jwgw-p74g, version 0.12.71 resolves the issue by adding validation that requires user-defined allowed origins for the baseUrl parameter, blocking token transmission to unauthorized servers. No workarounds exist, and self-hosted deployments must upgrade to the patched version.

Details

CWE(s): CWE-74

Affected Products

langchain

langsmith

≤ 0.12.71

AI Security AnalysisAI

AI Category: NLP and Transformers
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: langchain, langchain, langchain, ai

CVEs Like This One

CVE-2026-34070Same vendor: Langchain

CVE-2026-27795Same vendor: Langchain

CVE-2024-58340Same vendor: Langchain

CVE-2025-68664Same vendor: Langchain

CVE-2026-28277Same vendor: Langchain

CVE-2026-33202Shared CWE-74

CVE-2026-25586Shared CWE-74

CVE-2026-22200Shared CWE-74

CVE-2025-1691Shared CWE-74

CVE-2026-32616Shared CWE-74

References

https://github.com/langchain-ai/helm/security/advisories/GHSA-r8wq-jwgw-p74g
Vendor Advisory · security-advisories@github.com