Description

Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could request the update of an existing LLM connection to an attacker-controlled baseUrl, causing Langfuse to reuse the stored provider secret and redirect the test request to an attacker-controlled endpoint. This could expose the plaintext provider LLM API key for that connection. The attack is only possible if a user is already part of a project and has “member” scoped access. This issue has been patched in version 3.167.0.

INFO

Published Date :

2026-05-08T14:27:48.588Z

Last Modified :

2026-05-08T14:27:48.588Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-41487 vulnerability.

Vendors Products
Langfuse
  • Langfuse
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41487.

URL Resource
https://github.com/langfuse/langfuse/commit/7527bb0d84bc0a3dc24a4b16d22ed2e46e6dddff cve-icon cve-icon
https://github.com/langfuse/langfuse/commit/e12386f9d4368bbfff24a4ad7fd53641091605ff cve-icon cve-icon
https://github.com/langfuse/langfuse/pull/13027 cve-icon cve-icon
https://github.com/langfuse/langfuse/pull/13055 cve-icon cve-icon
https://github.com/langfuse/langfuse/releases/tag/v3.167.0 cve-icon cve-icon
https://github.com/langfuse/langfuse/security/advisories/GHSA-2524-j966-gfgh cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability