CVE-2026-41487

MEDIUM EPSS 7.9%
Published May 8, 20261mo ago · Modified Jun 17, 20261w ago
5.3 CVSS 4.0
Medium
Find Similar
Published May 8, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could request the update of an existing LLM connection to an attacker-controlled baseUrl, causing Langfuse to reuse the stored provider secret and redirect the test request to an attacker-controlled endpoint. This could expose the plaintext provider LLM API key for that connection. The attack is only possible if a user is already part of a project and has “member” scoped access. This issue has been patched in version 3.167.0.

CVSS Details

Base Score
5.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
7.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-284

Affected Products 1

VendorProductVersionRange
langfuselangfuse*≥3.68.0  –  <3.167.0

References 6

  • github.com https://github.com/langfuse/langfuse/commit/7527bb0d84bc0a3dc24a4b16d22ed2e46e6dddff
    Patch
  • github.com https://github.com/langfuse/langfuse/commit/e12386f9d4368bbfff24a4ad7fd53641091605ff
    Patch
  • github.com https://github.com/langfuse/langfuse/pull/13027
    Issue TrackingPatch
  • github.com https://github.com/langfuse/langfuse/pull/13055
    Issue TrackingPatch
  • github.com https://github.com/langfuse/langfuse/releases/tag/v3.167.0
    Release Notes
  • github.com https://github.com/langfuse/langfuse/security/advisories/GHSA-2524-j966-gfgh
    MitigationPatchVendor Advisory

Remediation

  • github.com https://github.com/langfuse/langfuse/commit/7527bb0d84bc0a3dc24a4b16d22ed2e46e6dddff
    Patch
  • github.com https://github.com/langfuse/langfuse/commit/e12386f9d4368bbfff24a4ad7fd53641091605ff
    Patch
  • github.com https://github.com/langfuse/langfuse/pull/13027
    Issue TrackingPatch
  • github.com https://github.com/langfuse/langfuse/pull/13055
    Issue TrackingPatch
  • github.com https://github.com/langfuse/langfuse/security/advisories/GHSA-2524-j966-gfgh
    MitigationPatchVendor Advisory