CVE-2026-41487
LLM Connection BaseURL Redirection in Langfuse
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langfuse | langfuse | From 3.68.0 (inc) to 3.167.0 (exc) |
| langfuse | langfuse | 3.167.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Langfuse, an open source large language model engineering platform, in versions from 3.68.0 to before 3.167.0. It is a role-based access control flaw in the LLM connection update flow. Specifically, an authenticated user with a low-privileged "member" role in a project could update an existing LLM connection's baseUrl to an attacker-controlled endpoint. This caused Langfuse to reuse the stored provider secret and redirect test requests to the attacker-controlled URL, potentially exposing the plaintext provider LLM API key associated with that connection.
The attack requires the user to already be part of a project with "member" scoped access. The issue was patched in version 3.167.0 by enforcing stricter write permissions and requiring secret keys when changing the base URL.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated, low-privileged user with "member" role access to update an LLM connection to an attacker-controlled baseUrl, potentially exposing plaintext provider LLM API keys.
Exposure of sensitive API keys could lead to unauthorized access to data or services, which may result in violations of data protection regulations such as GDPR or HIPAA if personal or sensitive data is accessed or compromised.
Therefore, this flaw could negatively impact compliance with standards that require strict access controls and protection of sensitive credentials, as it undermines role-based access control and confidentiality.
The issue has been patched in version 3.167.0, which enforces stricter permissions and requires secret keys for base URL changes, mitigating the risk of unauthorized exposure.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow a low-privileged project member to obtain the plaintext LLM provider API key by redirecting test requests to an attacker-controlled endpoint. This exposure of sensitive API keys can lead to unauthorized access to the LLM provider services, potentially resulting in data leakage, unauthorized usage, or further compromise of the system.
Because the attacker can reuse the stored provider secret, they might impersonate legitimate API calls or extract sensitive information, increasing the risk to the confidentiality and integrity of your LLM connections.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an authenticated user with "member" role updating an existing LLM connection's baseUrl to an attacker-controlled endpoint, causing exposure of the plaintext provider LLM API key.
Detection would involve monitoring for unusual or unauthorized update requests to LLM connection base URLs, especially those redirecting to unknown or suspicious external endpoints.
Since the vulnerability is related to API calls within the Langfuse platform, you can audit logs or network traffic for requests to the LLM connection update endpoints that change the baseUrl.
Specific commands are not provided in the available resources, but general approaches include:
- Review application logs for HTTP requests to LLM connection update endpoints that include baseUrl changes.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to detect outbound connections from your system to unknown or suspicious URLs that could indicate redirected test requests.
- Check for anomalous API calls made by users with "member" role that attempt to update LLM connection configurations.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in Langfuse version 3.167.0.
Immediate mitigation steps include:
- Upgrade Langfuse to version 3.167.0 or later, which enforces stricter write permissions on LLM connection test endpoints and requires a secret key when changing the base URL.
- Restrict permissions so that only authorized users can update LLM connection configurations.
- Audit existing LLM connections for suspicious baseUrl changes and reset any potentially compromised API keys.
- Monitor and log all LLM connection update requests to detect and respond to unauthorized attempts.