Main Vulnerability Database SB2026041529

SB2026041529 - Inclusion of Sensitive Information in Log Files in langsmith-sdk

Published: April 15, 2026

Security Bulletin ID SB2026041529

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Inclusion of Sensitive Information in Log Files (CVE-ID: N/A)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to insertion of sensitive information into log data in streaming token event handling when processing streaming LLM output. A remote attacker can trigger streaming output so that raw token values are recorded in new_token events to disclose sensitive information.

The issue affects both the JavaScript and Python SDK implementations, where output redaction applies to inputs and outputs fields but not to the events array.

Remediation

Install update from vendor's website.

References

https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-rr7j-v2q5-chgv