GHSA-rr7j-v2q5-chgv: LangSmith SDK: Streaming token events bypass output redaction
Summary
The LangSmith SDK (a tool for monitoring AI applications) has a security flaw where its output redaction feature (hideOutputs in JavaScript, hide_outputs in Python) doesn't work for streaming token events. When an LLM produces streamed output, each piece of data is recorded as a new_token event with unredacted content that bypasses the redaction process entirely, potentially leaking sensitive information to LangSmith storage.
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-rr7j-v2q5-chgv
First tracked: April 16, 2026 at 02:00 AM
Classified by LLM (prompt v3) · confidence: 95%