Langfuse
Monthly
Langfuse versions 3.68.0 through 3.166.x contain an insufficient access control flaw allowing authenticated project members to modify LLM connection endpoints and exfiltrate stored provider API keys in plaintext. An attacker with 'member' role can update an existing LLM connection's baseUrl to an attacker-controlled server, causing Langfuse to reuse the stored provider secret and redirect test requests to that endpoint, exposing credentials like OpenAI API keys. The vulnerability requires prior project membership but no elevated privileges; it was patched in version 3.167.0.
Langfuse versions 3.146.0 and below allow unauthenticated attackers to hijack Slack OAuth integrations by injecting arbitrary projectIds into the /api/public/slack/install endpoint, enabling them to bind malicious Slack workspaces to any project and intercept prompt management data. An attacker can replace existing Prompt Slack Automations or pre-register malicious integrations that execute when authenticated users unknowingly configure them. Public exploit code exists for this vulnerability, which affects the DNS and AI/ML components of the Langfuse platform.
Langfuse is an open source large language model engineering platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Langfuse is an open source large language model engineering platform. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.
Improper authorization in the background migration endpoints of Langfuse 3.1 before d67b317 allows any authenticated user to invoke migration control functions. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Langfuse versions 3.68.0 through 3.166.x contain an insufficient access control flaw allowing authenticated project members to modify LLM connection endpoints and exfiltrate stored provider API keys in plaintext. An attacker with 'member' role can update an existing LLM connection's baseUrl to an attacker-controlled server, causing Langfuse to reuse the stored provider secret and redirect test requests to that endpoint, exposing credentials like OpenAI API keys. The vulnerability requires prior project membership but no elevated privileges; it was patched in version 3.167.0.
Langfuse versions 3.146.0 and below allow unauthenticated attackers to hijack Slack OAuth integrations by injecting arbitrary projectIds into the /api/public/slack/install endpoint, enabling them to bind malicious Slack workspaces to any project and intercept prompt management data. An attacker can replace existing Prompt Slack Automations or pre-register malicious integrations that execute when authenticated users unknowingly configure them. Public exploit code exists for this vulnerability, which affects the DNS and AI/ML components of the Langfuse platform.
Langfuse is an open source large language model engineering platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Langfuse is an open source large language model engineering platform. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.
Improper authorization in the background migration endpoints of Langfuse 3.1 before d67b317 allows any authenticated user to invoke migration control functions. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.