{"data":{"id":"ccdf33ae-e22d-4ccf-a6b4-df72f01e3ad6","title":"CVE-2026-25750: Langchain Helm Charts are Helm charts for deploying Langchain applications on Kubernetes. Prior to langchain-ai/helm ver","summary":"Langchain Helm Charts (tools for deploying Langchain applications on Kubernetes, a container orchestration system) versions before 0.12.71 had a URL parameter injection vulnerability (a flaw where attackers trick the system by inserting malicious data into URLs) in LangSmith Studio that could steal user authentication tokens through phishing attacks. If a user clicked a malicious link, their bearer token (a credential proving their identity), user ID, and workspace ID would be sent to an attacker's server, allowing the attacker to impersonate them and access their LangSmith resources.","solution":"Upgrade to langchain-ai/helm version 0.12.71 or later. The fix implements validation requiring user-defined allowed origins for the baseUrl parameter, preventing tokens from being sent to unauthorized servers. Self-hosted customers must upgrade to the patched version.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-25750","publishedAt":"2026-03-04T22:16:17.667Z","cveId":"CVE-2026-25750","cweIds":["CWE-74"],"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["pii_leakage"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["LangChain","LangSmith"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00055,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}