A serious LangSmith vulnerability lets someone take over your account completely.

Critical LangSmith Vulnerability Account Takeover Researchers at Miggo Security have found a serious flaw (CVE-2026-25750) in LangSmith, a popular AI observability platform that businesses use to keep an eye on and fix problems with their Large Language Models (LLMs). LangSmith is a central hub for corporate AI data because it processes almost a billion events every day. This newly revealed flaw put authenticated users at risk of having their tokens stolen and their accounts taken over completely.

An account that has been hacked could leak very private information, such as internal SQL queries, customer records, and proprietary source code, because the platform is at the crossroads of application logic and data. With the Core Vulnerability LangSmith Studio, developers can use the baseUrl parameter to set a target backend API.

Before the patch, the app trusted this input without checking the destination domain. Someone who is already logged into LangSmith could be hacked just by going to a website controlled by an attacker or running hostile JavaScript by mistake. The picture shows how the Account Takeover attack works from start to finish (Source: Miggo).

The attacker's site would secretly load a LangSmith URL that had been changed to point to a bad base URL. The victim's browser would be tricked into sending their active session credentials straight to the attacker's domain instead of talking to the real server. This attack is different from traditional phishing because the victim doesn't have to enter their username or password; the exploit happens automatically in the background.

Once the attacker gets the session token, they have five minutes to pretend to be the victim and take over the LangSmith account. This gives the attacker a lot of access to the organization's core AI logic. If an attacker is able to successfully exploit a system, they can do a number of important things: Get raw data back from internal databases and APIs, such as Personally Identifiable Information (PII), Protected Health Information (PHI), and financial records.

Steal system prompts and get to the proprietary intellectual property that controls how the AI works. Take over the account to change the settings for a project or get rid of AI projects altogether. Details about the patch and how to fix it After Miggo Security responsibly disclosed the issue on December 1, 2025, LangChain created a centralized fix by putting in place a strict Allowed Origins policy.

The user's account settings must now clearly mark the target domain as a trusted origin. This will completely stop the unauthorized base URL attack. LangChain's official security advisory, which came out on January 7, 2026, said that there have been no reports of active exploitation in the wild.

Organizations need to check their deployment status to keep environments safe: Cloud customers don't have to do anything because LangChain patched the SaaS platform for everyone on December 15, 2025. Administrators who host their own servers must upgrade LangSmith to version 0.12.71 or Helm chart langsmith-0.12.33 right away. Both were released on December 20, 2025. To limit exposure in case of possible infrastructure breaches, security teams should regularly make sure that sensitive data is cleaned up before it gets to the AI monitoring layer.