Listen to this Post
This vulnerability resides in the LangSmith SDK’s `TracingMiddleware` component, which is used to automatically propagate distributed tracing context across HTTP requests. The middleware processes incoming HTTP headers to reconstruct trace context and attach it to the current execution run.
The flaw arises from a combination of two distinct defects. First, a field supplied through a tracing-propagation header is merged directly into the run object without proper validation, allowing an attacker to inject arbitrary run attributes—including file attachments (CWE-346). Second, a type check intended to gate filesystem access does not match the type of the decoded input, meaning the security guard never actually engages (CWE-843).
When these defects are chained together, an attacker can craft a malicious HTTP request containing a specially constructed tracing header. The middleware processes this header, merges the attacker-controlled attributes into the run, and—because the type check fails—proceeds to treat the injected attribute as a valid file attachment. The server then opens the attacker-specified file from its local filesystem and uploads its contents to LangSmith as a trace attachment via the background tracing thread (CWE-22).
Crucially, triggering the file read requires only the ability to send an HTTP request to the server. Depending on deployment configuration, this may not require any authentication whatsoever. However, retrieving the uploaded file contents requires read access to the destination LangSmith workspace, as the upload uses the server’s own configured API key and workspace—which the attacker cannot redirect. The net effect is a trust-boundary crossing: any party with workspace trace-read access (e.g., a low-privilege workspace member, a contractor, or a compromised teammate account) gains the ability to read arbitrary files from any server running the vulnerable TracingMiddleware.
The vulnerability affects all Python SDK versions prior to 0.8.18. The issue was first reported by security researcher @Ryu7zz.
DailyCVE Form
Platform: ……. LangSmith Python SDK
Version: …….. < 0.8.18
Vulnerability :…… Path Traversal / Arbitrary File Read
Severity: ……. High (7.7 CVSS)
date: ………. 2026-06-19
Prediction: …… 2026-06-19 (already released)
What Undercode Say
Analytics
The vulnerability manifests when the `TracingMiddleware` processes HTTP headers to reconstruct distributed trace context. The core issue lies in the `RunTree.from_headers()` method (or its alias RunTree.fromHeaders()), which accepts untrusted HTTP headers and merges them into the run object without adequate validation.
Key technical observations:
- The injection occurs via tracing-propagation headers that are merged directly into the run attributes
- The attachment field is accepted without validation against a whitelist or sanitization
- A type-check guard intended to prevent filesystem access fails due to type mismatch between the decoded input and the expected type
- The file read and upload occur asynchronously via the background tracing thread, making the attack stealthy
- The server’s own API key is used for upload, meaning the attacker cannot redirect the exfiltration channel
Affected versions: All Python SDK releases from 0.0.0rc0 through 0.8.17
Fixed version: 0.8.18
Exploit
An attacker can exploit this vulnerability by sending an HTTP request to a server running the vulnerable `TracingMiddleware` with a crafted tracing header that injects a file attachment attribute pointing to a target file on the server’s filesystem.
Example attack flow:
Attacker sends HTTP request to vulnerable server curl -X GET http://vulnerable-server/api/endpoint \ -H "traceparent: 00-<trace-id>-<span-id>-01" \ -H "baggage: <injected-attachment-attribute>"
Conceptual payload structure (simplified):
The injected attribute causes the server to read: /etc/passwd /app/config/secrets.json /var/run/secrets/kubernetes.io/serviceaccount/token Any file accessible to the server process
The server then:
1. Processes the tracing header
- Merges the attacker-controlled attachment attribute into the run
3. Bypasses the broken type-check guard
- Opens the specified file from the local filesystem
- Uploads the file contents as a trace attachment to LangSmith
An attacker with workspace trace-read access can then retrieve the uploaded file contents from the LangSmith workspace.
Protection
Immediate Remediation
Upgrade the Python LangSmith SDK to version 0.8.18 or later:
pip install --upgrade langsmith>=0.8.18
Workarounds (if unable to upgrade immediately)
- Do not expose `TracingMiddleware` to untrusted HTTP traffic:
– Place the middleware behind authentication/authorization layers
– Restrict access to trusted internal networks only
– Use API gateways or WAF rules to filter/validate tracing headers
2. Limit workspace trace-read access to trusted members only:
– Audit LangSmith workspace memberships
– Remove unnecessary users
– Apply principle of least privilege
3. Input validation (defense-in-depth):
- Validate and sanitize all incoming tracing headers before processing
- Implement strict allowlists for attachment fields
- Consider disabling file attachment features if not required
Detection
Monitor for:
- Unexpected file read operations from the server process
- Unusual trace attachments being uploaded to LangSmith
- Anomalous tracing headers in HTTP requests
Impact
Confidentiality (High): An attacker can read arbitrary files accessible to the server process. This includes:
– Configuration files containing credentials and API keys
– Source code and proprietary business logic
– Environment variables and secrets
– Kubernetes service account tokens
– Database connection strings
– TLS/SSL private keys
– Any other sensitive data stored on the filesystem
Trust Boundary Violation: The vulnerability enables a party with workspace trace-read access (a low-privilege workspace member, contractor, or compromised account) to read files from any server running the vulnerable middleware—a capability far outside the intended trust boundary of the LangSmith workspace.
Exposure Surface: Any HTTP-accessible server running the vulnerable `TracingMiddleware` is a potential target. In many deployments, triggering the file read requires no authentication whatsoever.
CVSS Score: 7.7 (High)
CWE Classifications:
- CWE-346: Origin Validation Error
- CWE-843: Access of Resource Using Incompatible Type (‘Type Confusion’)
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
