After Friday's run of criticals, the weekend's quiet — nothing new landed on the AI stack across Saturday and Sunday morning. The item worth surfacing is one Saturday's digest didn't get to: an arbitrary file read in the LangSmith SDK (7.7), the tracing layer a lot of LangChain apps run in production, fixed in 0.8.18. A path-filter bypass in the mcpvault MCP server rounds out a thin morning. Nothing new on the .NET, NuGet, or Angular side in the window — the last items there were the June 9 Patch Tuesday set.

Worth your morning

LangSmith SDK (GHSA-f4xh-w4cj-qxq8). The TracingMiddleware in the LangSmith SDK — the observability layer many LangChain apps run in production — can be steered into reading files off the server's filesystem, with the contents landing as trace attachments visible to any workspace member who can read traces. Scored 7.7, no CVE assigned, fixed in 0.8.18. If you run LangSmith tracing on a server that handles untrusted requests, upgrade and treat anything that process can read as exposed in your traces.

mcpvault (GHSA-9c83-rr99-vfwj). A path-filter bug in the mcpvault MCP server: its denylist for sensitive directories — .git, .obsidian, node_modules — was enforced only at the vault root, so the same names nested deeper stayed reachable. A companion advisory the same day notes the denylist could also be slipped with case changes and trailing dots. Both close in 0.11.5 (moderate, 6.9). The throughline with LangSmith is the one that ran through Friday's batch too: AI tooling that reads from the filesystem on request and doesn't keep the boundary where it says it does.