Technical description
A URL parameter injection vulnerability in LangSmith Studio allows unauthorized access to user accounts through stolen authentication tokens. Affects versions prior to langchain-ai/helm version 0.12.71.
Attack vector
Malicious links can extract bearer tokens, user IDs, and workspace IDs from authenticated LangSmith users, transmitting credentials to attacker-controlled servers.
Affected systems
LangChain LangSmith Studio installations prior to version 0.12.71.
Mitigation
Update to langchain-ai/helm version 0.12.71 or later. Review user authentication logs for suspicious access patterns.