VDB
CVE-2026-41487
CVE-2026-41487
PUBLISHED
CVSS 5.300000190734863 MEDIUM
Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could request the update of an existing LLM connection to an attacker-controlled baseUrl, causing Langfuse to reuse the stored provider secret and redirect the test request to an attacker-controlled endpoint. This could expose the plaintext provider LLM API key for that connection. The attack is only possible if a user is already part of a project and has “member” scoped access. This issue has been patched in version 3.167.0.
EPSS 0.04% · 11.1th percentile
Risk Scores
CVSS v4.0
5.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.04%
11.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| langfuse | langfuse | >= 3.68.0, < 3.167.0 |
Timeline
- May 8, 2026 CVE Published
- May 10, 2026 Security Advisory
- May 13, 2026 CVE Updated
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
- May 26, 2026 EPSS Score
References
- https://github.com/langfuse/langfuse/security/advisories/GHSA-2524-j966-gfgh url
- https://github.com/langfuse/langfuse/pull/13027 url
- https://github.com/langfuse/langfuse/pull/13055 url
- https://github.com/langfuse/langfuse/commit/7527bb0d84bc0a3dc24a4b16d22ed2e46e6dddff url
- https://github.com/langfuse/langfuse/commit/e12386f9d4368bbfff24a4ad7fd53641091605ff url
- https://github.com/langfuse/langfuse/releases/tag/v3.167.0 url