Critical LangSmith Account Takeover Weakness Miggo Security researchers have found a serious flaw in LangSmith, known as CVE-2026-25750, that could let hackers steal tokens and take over users' accounts This article explores vulnerability langsmith account. . LangSmith is a central hub for debugging and watching large language model data.
It processes billions of events every day, so this is a very serious security flaw for enterprise AI environments. LangSmith Studio has a feature for configuring APIs that makes them less secure, which is what caused the problem. The platform has a flexible baseUrl parameter that lets developers tell their frontend app to get data from different backend APIs. Before the patch, the app trusted this input without checking the domain of the destination.
Because there was no validation, this created a big security hole.
If an authenticated LangSmith user visited a malicious site or clicked on a link with a base URL controlled by an attacker, their browser would automatically send API requests and session credentials to the hostile server. Vulnerability in LangSmith Account Takeover To take advantage of this weakness, you don't need to use traditional phishing methods where the user types in their credentials. Instead, the attack happens quietly in the background using the victim's active session.
The sequence starts when the victim, who has been authenticated, goes to a malicious webpage or a legitimate site that has been hacked by hostile JavaScript. Then, this script makes the browser load a fake LangSmith Studio URL that points to a server controlled by the attacker.
The picture shows how the Account Takeover attack works from start to finish (Source: Miggo) Because of this, the victim's browser sends its active session credentials to the bad domain instead of the default server. The attacker gets the session token and has five minutes to take over the account before the token expires on its own. Taking over an account on an AI observability platform poses risks that go far beyond just getting in without permission.
If attackers get into a LangSmith account, they can see detailed AI trace histories, which often include raw execution data that is used for debugging. If threat actors are able to successfully exploit a system, they can read raw data returned from internal databases. This could include proprietary source code, financial records, or private customer information.
Also, attackers can steal the system prompts that tell the AI models how to act and what the company's intellectual property is. They can also take over the account to change project settings or get rid of important observability workflows altogether. Updates and Mitigation Miggo says that LangChain fixed the security hole by putting in place a strict policy on allowed origins.
Before a domain can be used as an API base URL, it must be explicitly set up as a trusted origin in the account settings. Requests for base URLs that aren't authorized are automatically blocked. The official LangSmith Security Advisory from January 7, 2026, says that there is no proof that the problem is being used in the wild.
Cloud customers don't need to do anything because the vulnerability was completely fixed on the LangSmith Cloud platform by December 15, 2025. But self-hosted administrators need to upgrade their installations to LangSmith version 0.12.71 or Helm chart langsmith-0.12.33 and later right away to make sure their environments are safe., LinkedIn, and X for daily news about cybersecurity. Get in touch with us to have your stories published.
