Description
Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could request the update of an existing LLM connection to an attacker-controlled baseUrl, causing Langfuse to reuse the stored provider secret and redirect the test request to an attacker-controlled endpoint. This could expose the plaintext provider LLM API key for that connection. The attack is only possible if a user is already part of a project and has “member” scoped access. This issue has been patched in version 3.167.0.
Published: 2026-05-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper role‑based access control in the schema that manages LLM connections. An authenticated user with the member role in a Langfuse project can request an update to an existing connection, specifying a malicious baseUrl. The application then re‑uses the stored provider secret to send a test request to the attacker‑controlled endpoint, leaking the plaintext LLM provider API key. This vulnerability, classified as CWE‑284, results in the disclosure of confidential credentials that could grant remote parties full access to the provider account.

Affected Systems

Vulnerable instances of the Langfuse platform running any release between 3.68.0 and, but not including, 3.167.0 are affected. The issue was fixed in release 3.167.0, which updates the access control checks in the LLM connection update flow. Only installations that have not applied the patch and that allow members to belong to a project are at risk.

Risk and Exploitability

The flaw has a CVSS score of 5.3, indicating moderate severity. No EPSS score was published, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a member‑role user who already has membership in a project; the attacker then triggers the update operation. Once the malicious request is processed, the stored API key is returned to the attacker in plaintext. The attack vector is intra‑application and does not require external network access beyond normal API calls.

Generated by OpenCVE AI on May 8, 2026 at 15:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Langfuse to version 3.167.0 or newer.
  • If immediate upgrade is not possible, remove the member role from users who no longer need it or restrict project membership to administrators only.
  • Verify that only authorized personnel can modify LLM connection settings and that baseUrl changes are validated against a predefined whitelist.

Generated by OpenCVE AI on May 8, 2026 at 15:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Langfuse
Langfuse langfuse
Vendors & Products Langfuse
Langfuse langfuse

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could request the update of an existing LLM connection to an attacker-controlled baseUrl, causing Langfuse to reuse the stored provider secret and redirect the test request to an attacker-controlled endpoint. This could expose the plaintext provider LLM API key for that connection. The attack is only possible if a user is already part of a project and has “member” scoped access. This issue has been patched in version 3.167.0.
Title Langfuse: Improper role-based-access control in Langfuse LLM connection management allowed users of role “member” to retrieve stored LLM provider API keys
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Langfuse Langfuse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T19:44:31.496Z

Reserved: 2026-04-20T16:14:19.007Z

Link: CVE-2026-41487

cve-icon Vulnrichment

Updated: 2026-05-08T19:44:20.584Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T15:16:39.800

Modified: 2026-05-08T16:08:15.570

Link: CVE-2026-41487

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T16:15:12Z

Weaknesses