CVE-2026-44843: One Chat Message Steals Your Credentials. Then It Gets Worse!
This title could be clearer and more informative.Try out Clickbait Shieldfor free (5 uses left this month).
CVE-2026-44843 is a critical vulnerability in langchain-core where a single crafted chat message can exfiltrate the server's LangSmith API key. The attack chain works by sending a serialized HubRunnable constructor dict as user input, which survives into run.inputs and gets passed to load(..., allowed_objects='all') in the tracer. HubRunnable's constructor makes an outbound HTTP request via LangSmithClient, which falls back to reading LANGSMITH_API_KEY from the environment and sends it to an attacker-controlled URL in an x-api-key header. The stolen key grants write access to the LangSmith Prompt Hub, enabling silent prompt injection into production AI applications. The vulnerability affects RunnableWithMessageHistory, astream_log, and astream_events(version='v1'). Patched in langchain-core 1.3.3 and 0.3.85. Affected users should upgrade, rotate credentials, audit Prompt Hub artifacts, and validate request bodies against strict schemas.
Table of contents
How We Turned LangChain’s Tracer Into an Unauthenticated Remote Credential Exfiltration GadgetWhere we startedThe thing that did not look rightThe bridge from “user input” to “deserializer”The class we did not expect to findThe fallback that gives away the keyGet Dewank Pant ’s stories in your inboxProving itWe thought it ended there. It did not.HubRunnable was the live gadget. The surface was wider.The broader issue: data becoming behaviorReporting and what got fixedWhat to do if you ran an affected versionSort: