CrewAI 1.14.5a6 Patches the Prompt-Manifest Trust Boundary Agents Keep Ignoring

CrewAI v1.14.5a6 is an alpha release with the kind of changelog item production teams should read slowly: a dependency bump for a LangSmith prompt-manifest vulnerability and a fix for streamed tool calls that could disappear when available_functions was absent. Neither item looks dramatic in isolation. Together they describe exactly where agent systems keep getting fragile: remote prompt configuration and runtime tool-call visibility.

The release landed May 15 at 20:05 UTC. CrewAI lists three fixes: streamed tool calls when available_functions is absent, langsmith >=0.8.0 for GHSA-3644-q5cj-c5c7 / CVE-2026-45134, and a documentation placeholder issue in Brazilian Portuguese code blocks. The docs fix is harmless. The first two are the reason this release matters.

A prompt manifest is configuration, and configuration is an attack surface

The LangSmith advisory is the headline. GHSA-3644-q5cj-c5c7 describes a trust-boundary issue in LangSmith SDK prompt pull methods. Older versions did not clearly distinguish prompts from the same organization from public prompts addressed by owner/name. With include_model=True, pulled prompt manifests could deserialize more than text. They could carry model configuration, custom base URLs, default headers, constructor kwargs, and secret references.

That should make every agent engineer sit up. A prompt bundle that can influence base URLs and headers is not “content.” It is remote configuration. In the wrong path, it can redirect outbound model traffic, manipulate behavior, expand deserialization risk, or help an attacker stage SSRF-style abuse. The advisory names realistic impacts including outbound request redirection, LLM traffic interception, prompt injection, behavior manipulation, and expanded deserialization risk.

The remediation in LangSmith SDK is sensible and blunt: Python >=0.8.0 and JS/TS >=0.6.0 block public prompt pulls by default unless callers explicitly pass flags named dangerously_pull_public_prompt=True or dangerouslyPullPublicPrompt: true. That is good API naming. If a developer is about to cross a trust boundary, make them type the word “dangerously.” Frameworks should use shame productively.

CrewAI’s relevant fix, commit 75bb882..., bumps LangSmith to >=0.8.0. This is downstream dependency hygiene, but that is not a backhanded compliment. Agent framework security is increasingly supply-chain security. Your top-level framework may be well behaved while a telemetry, tracing, prompt hub, browser, vector store, or MCP dependency quietly opens a runtime path you did not review.

The practitioner mistake is to think “we do not use LangSmith prompts” and move on. The better move is to audit whether any part of your stack can pull prompts, agent configs, tool manifests, templates, or workflow bundles from public namespaces. If yes, treat those pulls like dependency installation, not like reading a string. Pin versions. Review sources. Block public pulls by default. Log when someone enables a dangerous override. The same security pattern applies well beyond LangSmith.

Streaming bugs are observability bugs wearing runtime clothes

The second meaningful fix is commit eefe0e4...: “surface streamed tool calls when available_functions is absent.” That sounds like an edge case until you remember how many agent products now depend on streaming for user trust. Streaming is not just a UX flourish. It is how operators see what the agent is about to do, why it is waiting, which tool call is being assembled, and where a workflow got stuck.

If streamed tool calls are not surfaced under a certain function-availability state, several bad things can happen. The UI may show a text response while the runtime expected an action. The trace may omit the tool request that explains a later failure. A human-in-the-loop approval surface may never appear. Or the agent may degrade into “helpful prose” instead of executing a workflow. In a production system, missing tool-call visibility is not cosmetic. It breaks the operator’s mental model.

This is one of the uncomfortable truths about agent frameworks: the runtime and the observability layer cannot be separated cleanly. A multi-tool agent is only debuggable if tool intent, arguments, intermediate state, approvals, retries, and failures are visible at the right time. Streaming makes that harder because the system is dealing with partial structured data, not a finished response object. The lifecycle has to be explicit: partial model output becomes structured tool invocation, available functions are checked, arguments are surfaced, approval or execution happens, and the trace remains coherent afterward.

CrewAI’s fix suggests one of those edges was leaky. Good that it is patched. Better if teams using CrewAI add regression tests around streamed tool calls in their own workflows, especially if they rely on streaming for interactive UIs, dashboards, support agents, or long-running automations where users expect live state.

The alpha label is a risk decision, not a stop sign

The awkward part is that v1.14.5a6 is an alpha. Some teams will not deploy alpha releases to production, reasonably. But security fixes in alpha release lines create an operational question: do you move to the alpha, override the dependency, or wait for a stable cut? There is no universal answer, but pretending the question does not exist is the wrong one.

If your environment resolves a vulnerable LangSmith SDK version and permits public prompt pulls, you should act now. That may mean upgrading CrewAI if your tolerance allows it. It may mean pinning langsmith>=0.8.0 separately and running your test suite. It may mean disabling prompt hub pulls at the network or policy layer. The important thing is to make the decision intentionally instead of assuming transitive dependency scanning will understand your agent runtime semantics.

For teams with CrewAI in production, the immediate checklist is straightforward. First, identify the resolved LangSmith SDK version in every deployed environment, not just your lockfile. Second, search code and configuration for public prompt pulls, include_model=True, and any dangerous override flags. Third, add tests or trace assertions for streamed tool calls in the workflows users actually see. Fourth, treat prompt manifests as reviewable artifacts, especially if they come from public hubs or third-party examples.

The broader industry point is bigger than CrewAI. The agent ecosystem spent 2023 and 2024 pretending prompts were text and tools were function calls. In 2026, prompts are packaged configuration, tools are delegated authority, and traces are operational evidence. Every one of those surfaces can fail in ways that look like normal framework behavior until someone audits the boundary.

CrewAI deserves credit for moving quickly enough to pin the safe LangSmith dependency in its own release line. But the useful lesson is not “upgrade CrewAI and relax.” It is that dependency updates, prompt-hub defaults, streaming state, and tool-call surfacing are now part of agent security. Read the boring release notes. They are where the incidents usually start.

Sources: CrewAI v1.14.5a6 release, GitHub Advisory GHSA-3644-q5cj-c5c7 / CVE-2026-45134, LangSmith dependency fix, streamed tool-call fix