Langfuse
Products
1- 6 CVEs
Recent CVEs
6| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-9799 | Med | 0.33 | 5.0 | 0.00 | Sep 1, 2025 | A security flaw has been discovered in Langfuse up to 3.88.0. Affected by this vulnerability is the function promptChangeEventSourcing of the file web/src/features/prompts/server/routers/promptRouter.ts of the component Webhook Handler. Performing manipulation results in… | ||
| CVE-2026-41487 | Med | 0.28 | 5.4 | 0.00 | May 8, 2026 | Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could… | ||
| CVE-2026-24055 | 0.00 | — | 0.00 | Jan 22, 2026 | Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved… | |||
| CVE-2025-65107 | 0.00 | — | 0.00 | Nov 21, 2025 | Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTH__CHECK setting, a potential account takeover may happen if an… | |||
| CVE-2025-64504 | 0.00 | — | 0.00 | Nov 10, 2025 | Langfuse is an open source large language model engineering platform. Starting in version 2.70.0 and prior to versions 2.95.11 and 3.124.1, in certain project membership APIs, the server trusted a user‑controlled orgId and used it in authorization checks. As a result, any… | |||
| CVE-2025-59305 | 0.00 | — | 0.00 | Sep 24, 2025 | Improper authorization in the background migration endpoints of Langfuse 3.1 before d67b317 allows any authenticated user to invoke migration control functions. This can lead to data corruption or denial of service through unauthorized access to TRPC endpoints such as… |
- risk 0.33cvss 5.0epss 0.00
A security flaw has been discovered in Langfuse up to 3.88.0. Affected by this vulnerability is the function promptChangeEventSourcing of the file web/src/features/prompts/server/routers/promptRouter.ts of the component Webhook Handler. Performing manipulation results in…
- risk 0.28cvss 5.4epss 0.00
Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could…
- CVE-2026-24055Jan 22, 2026risk 0.00cvss —epss 0.00
Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved…
- CVE-2025-65107Nov 21, 2025risk 0.00cvss —epss 0.00
Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTH__CHECK setting, a potential account takeover may happen if an…
- CVE-2025-64504Nov 10, 2025risk 0.00cvss —epss 0.00
Langfuse is an open source large language model engineering platform. Starting in version 2.70.0 and prior to versions 2.95.11 and 3.124.1, in certain project membership APIs, the server trusted a user‑controlled orgId and used it in authorization checks. As a result, any…
- CVE-2025-59305Sep 24, 2025risk 0.00cvss —epss 0.00
Improper authorization in the background migration endpoints of Langfuse 3.1 before d67b317 allows any authenticated user to invoke migration control functions. This can lead to data corruption or denial of service through unauthorized access to TRPC endpoints such as…