CVE-2026-41182 Overview
A sensitive data exposure vulnerability has been identified in LangSmith Client SDKs that allows streaming token events to bypass output redaction controls. Prior to version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK, the LangSmith SDK's output redaction controls (hideOutputs in JS, hide_outputs in Python) do not apply to streaming token events. When an LLM run produces streaming output, each chunk is recorded as a new_token event containing the raw token value. These events bypass the redaction pipeline entirely, resulting in potential leakage of sensitive LLM output data.
Critical Impact
Applications relying on output redaction to prevent sensitive LLM output from being stored in LangSmith will still leak the full streamed content via run events, potentially exposing confidential information processed by LLM applications.
Affected Products
- LangSmith JavaScript SDK versions prior to 0.5.19
- LangSmith Python SDK versions prior to 0.7.31
Discovery Timeline
- 2026-04-23 - CVE CVE-2026-41182 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-41182
Vulnerability Analysis
This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The security flaw exists in how the LangSmith SDK processes streaming output from Large Language Model (LLM) runs.
The redaction functions prepareRunCreateOrUpdateInputs in JavaScript and _hide_run_outputs in Python are designed to prevent sensitive data from being logged to the LangSmith platform. However, these functions only process the inputs and outputs fields on a run object and never examine the events array.
When streaming mode is enabled, each token generated by the LLM is recorded as a new_token event in the events array. Since the redaction pipeline does not inspect this array, the raw token values are transmitted and stored without any sanitization, completely bypassing the intended security controls.
Root Cause
The root cause of this vulnerability is an incomplete implementation of the output redaction feature. The redaction logic was designed to handle static input/output fields but failed to account for the streaming event pathway. The events array, which captures real-time streaming tokens, was not included in the redaction scope, creating a data leak vector that circumvents the security controls entirely.
Attack Vector
The vulnerability can be exploited through network-accessible LangSmith SDK integrations. An attacker does not need authentication or user interaction to exploit this flaw. The attack scenario involves:
- An application using LangSmith SDK with output redaction enabled
- The application processes sensitive data through LLM streaming responses
- Despite redaction being configured, the streaming token events capture and transmit the complete raw output
- Sensitive information is stored in LangSmith logs, accessible to anyone with log access
The vulnerability is exploited passively—the mere use of streaming mode with redaction enabled results in data exposure. No active exploitation code is required; the SDK's normal operation leaks the data when streaming is used.
For technical implementation details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-41182
Indicators of Compromise
- Presence of new_token events in LangSmith run logs containing sensitive data that should have been redacted
- Streaming token data visible in LangSmith platform despite hideOutputs or hide_outputs being enabled
- Unexpected sensitive information appearing in LangSmith telemetry or audit logs
Detection Strategies
- Review LangSmith run events for any sensitive data that should have been filtered by redaction controls
- Audit application configurations to identify deployments using streaming mode with redaction enabled
- Implement automated scanning of LangSmith logs to detect potential data exposure patterns
- Check SDK version numbers in dependency manifests to identify vulnerable installations
Monitoring Recommendations
- Monitor LangSmith API traffic for streaming token events containing potentially sensitive patterns
- Implement log analysis rules to detect sensitive data patterns in run events
- Set up alerts for applications using affected SDK versions in production environments
- Establish periodic audits of stored LangSmith data to identify any leaked sensitive information
How to Mitigate CVE-2026-41182
Immediate Actions Required
- Upgrade LangSmith JavaScript SDK to version 0.5.19 or later immediately
- Upgrade LangSmith Python SDK to version 0.7.31 or later immediately
- Audit existing LangSmith logs for potential sensitive data exposure from streaming token events
- Review and purge any sensitive data that may have been inadvertently stored in LangSmith
Patch Information
The vulnerability has been addressed in LangSmith JavaScript SDK version 0.5.19 and Python SDK version 0.7.31. These patched versions extend the redaction pipeline to properly process the events array, ensuring that streaming token events are also subject to output redaction controls. For additional details, see the GitHub Security Advisory.
Workarounds
- Disable streaming mode for LLM runs that process sensitive data until patches can be applied
- Temporarily disable LangSmith tracing entirely for applications handling highly sensitive information
- Implement application-level filtering to prevent sensitive data from reaching LLM streaming responses
- Consider using synchronous (non-streaming) LLM calls where redaction is properly enforced
# Configuration example for upgrading affected SDKs
# For JavaScript/Node.js projects
npm update langsmith@0.5.19
# For Python projects
pip install --upgrade langsmith>=0.7.31
# Verify installed versions
npm list langsmith
pip show langsmith
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
