CVE-2026-25750 is a vulnerability classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) affecting Langchain Helm Charts used to deploy Langchain applications on Kubernetes. Specifically, prior to version 0.12.71, LangSmith Studio's handling of a URL parameter (baseUrl) was flawed, allowing injection of malicious URLs that caused the user's bearer token, user ID, and workspace ID to be transmitted to attacker-controlled servers. This vulnerability impacts both LangSmith Cloud and self-hosted deployments. The attack vector requires social engineering to convince authenticated users to click on specially crafted malicious links. Upon clicking, sensitive authentication tokens are leaked, enabling attackers to impersonate the victim and perform any authorized actions within the victim’s workspace. The stolen tokens have a short lifespan of 5 minutes, but attackers can repeatedly exploit the vulnerability if users are repeatedly tricked. The root cause is the lack of validation on the baseUrl parameter, which allowed injection of unauthorized origins. The fix introduced in version 0.12.71 mandates user-defined allowed origins for the baseUrl parameter, effectively preventing tokens from being sent to unauthorized endpoints. There are no known workarounds, making patching critical. Although no exploits have been observed in the wild, the vulnerability’s ease of exploitation via phishing and the high privileges granted by stolen tokens make it a significant risk.

The impact of CVE-2026-25750 is substantial for organizations using Langchain Helm Charts to deploy LangSmith Studio, especially those with sensitive or critical workloads. Successful exploitation results in unauthorized access to user accounts and workspaces, enabling attackers to view, modify, or delete data and perform any actions the compromised user is authorized to do. This can lead to data breaches, intellectual property theft, sabotage of AI workflows, and loss of trust. Since the tokens grant bearer authentication, attackers can bypass normal authentication controls. The short token expiration limits the window but does not eliminate risk, especially in environments where users can be repeatedly targeted. Both cloud and self-hosted deployments are affected, increasing the attack surface. Organizations relying on Langchain for AI application deployment must consider the risk of phishing campaigns exploiting this vulnerability. The lack of workarounds means that until patched, the vulnerability remains exploitable. The potential for lateral movement within workspaces and access to sensitive AI models or data further elevates the threat.

The primary mitigation is to upgrade all Langchain Helm Chart deployments to version 0.12.71 or later, which includes the fix enforcing allowed origins validation on the baseUrl parameter. For self-hosted customers, immediate patching is critical as no workarounds exist. Organizations should also implement robust phishing awareness training to reduce the likelihood of users clicking malicious links. Network-level protections such as URL filtering and email security gateways can help block known malicious URLs. Monitoring for unusual access patterns or repeated authentication token usage may help detect exploitation attempts. Where possible, enforce short session lifetimes and multi-factor authentication to reduce the impact of stolen tokens. Additionally, review and restrict user permissions within LangSmith workspaces to limit potential damage from compromised accounts. Finally, maintain up-to-date inventories of affected deployments to ensure comprehensive patch management.