Significant security flaws flagged in LangSmith, SGLang

AI agent development and deployment platform LangSmith and high-performance large language model serving framework SGLang have been impacted by vulnerabilities that could allow attackers to take over accounts and run code remotely, respectively, according to The Hacker News.

Miggo Security researchers discovered that LangSmith's cloud and self-hosted deployments were affected by the high-severity account takeover bug, tracked as CVE-2026-25750, which could be exploited to facilitate login data theft. Abuse of the flaw, which was addressed in LangSmith version 0.12.71, could also allow account infiltration, as well as AI log and activity access. Meanwhile, SGLang's vulnerabilities CVE-2026-3060, CVE-2026-3059, and CVE-2026-3989 remain unpatched.

"The first two allow unauthenticated remote code execution against any SGLang deployment that exposes its multimodal generation or disaggregation features to the network. The third involves insecure deserialization in a crash dump replay utility," said Orca security researcher Igor Stepansky.

The disclosures come as BeyondTrust reported about a security issue in Amazon Bedrock AgentCore Code Interpreter, which enables attackers to bypass sandbox restrictions in the Code Interpreter feature.