CVE-2026-41487

Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could request the update of an...

PT-2026-39011

Name of the Vulnerable Software and Affected Versions Langfuse versions 3.68.0 through 3.166.0 Description A role-based access control flaw exists in the LLM connection update flow. An authenticated user with the "member" role in a project can request an update to an existing LLM connection by...

CVE-2026-24055 Langfuse Slack OAuth Installation Endpoint Lacks Authentication, Enabling Arbitrary Project Linking

Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved throughout the OAuth flow,...

CVE-2025-65107

Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTHCHECK setting, a potential account takeover may happen if an authenticated user is made to call...

CVE-2025-65107 Langfuse SSO Account Takeover via CSRF or phishing attack

Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTHCHECK setting, a potential account takeover may happen if an authenticated user is made to call...

EUVD-2025-198512

Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTHCHECK setting, a potential account takeover may happen if an authenticated user is made to call...

langfuse 跨站请求伪造漏洞

langfuse is a large language model engineering platform open-sourced by Langfuse. A cross-site request forgery vulnerability exists in langfuse version 2.95.0 up to and including version 2.95.12 and version 3.17.0 up to and including version 3.131.0, which stems from a misconfiguration of SSO and...

PT-2025-46209

Name of the Vulnerable Software and Affected Versions Langfuse versions 2.70.0 through 2.95.10 Langfuse versions 3.0.0 through 3.124.0 Description Langfuse is a large language model engineering platform. In certain project membership APIs, the server improperly trusted a user-controlled orgId and...

langfuse 安全漏洞

langfuse is a large language model engineering platform open-sourced by Langfuse. A security vulnerability exists in langfuse that stems from improper authorization of background migration endpoints, which could lead to data corruption or denial of service attacks...