GHSA-F4XH-W4CJ-QXQ8: GHSA-F4XH-W4CJ-QXQ8: Arbitrary Server-Side File Read in LangSmith SDK TracingMiddleware
CVSS Score: 7.7 Published: 2026-06-19 Full Report: https://cvereports.com/reports/GHSA-F4XH-W4CJ-QXQ8
The LangSmith Python SDK TracingMiddleware is vulnerable to an arbitrary server-side file read. Due to origin validation and type confusion flaws, external inputs parsed from distributed tracing headers bypass local filesystem read protections, allowing remote attackers to silently exfiltrate arbitrary server files to the telemetry dashboard.