CVE-2026-41487
Undergoing Analysis Undergoing Analysis - In Progress
LLM Connection BaseURL Redirection in Langfuse

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role β€œmember” in a project could request the update of an existing LLM connection to an attacker-controlled baseUrl, causing Langfuse to reuse the stored provider secret and redirect the test request to an attacker-controlled endpoint. This could expose the plaintext provider LLM API key for that connection. The attack is only possible if a user is already part of a project and has β€œmember” scoped access. This issue has been patched in version 3.167.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41487
EUVD
EUVD-2026-28647
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
langfuse langfuse From 3.68.0 (inc) to 3.167.0 (exc)
langfuse langfuse 3.167.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Langfuse, an open source large language model engineering platform, in versions from 3.68.0 to before 3.167.0. It is a role-based access control flaw in the LLM connection update flow. Specifically, an authenticated user with a low-privileged "member" role in a project could update an existing LLM connection's baseUrl to an attacker-controlled endpoint. This caused Langfuse to reuse the stored provider secret and redirect test requests to the attacker-controlled URL, potentially exposing the plaintext provider LLM API key associated with that connection.

The attack requires the user to already be part of a project with "member" scoped access. The issue was patched in version 3.167.0 by enforcing stricter write permissions and requiring secret keys when changing the base URL.

Impact Analysis

If exploited, this vulnerability could allow a low-privileged project member to obtain the plaintext LLM provider API key by redirecting test requests to an attacker-controlled endpoint. This exposure of sensitive API keys can lead to unauthorized access to the LLM provider services, potentially resulting in data leakage, unauthorized usage, or further compromise of the system.

Because the attacker can reuse the stored provider secret, they might impersonate legitimate API calls or extract sensitive information, increasing the risk to the confidentiality and integrity of your LLM connections.

Detection Guidance

This vulnerability involves an authenticated user with "member" role updating an existing LLM connection's baseUrl to an attacker-controlled endpoint, causing exposure of the plaintext provider LLM API key.

Detection would involve monitoring for unusual or unauthorized update requests to LLM connection base URLs, especially those redirecting to unknown or suspicious external endpoints.

Since the vulnerability is related to API calls within the Langfuse platform, you can audit logs or network traffic for requests to the LLM connection update endpoints that change the baseUrl.

Specific commands are not provided in the available resources, but general approaches include:

  • Review application logs for HTTP requests to LLM connection update endpoints that include baseUrl changes.
  • Use network monitoring tools (e.g., tcpdump, Wireshark) to detect outbound connections from your system to unknown or suspicious URLs that could indicate redirected test requests.
  • Check for anomalous API calls made by users with "member" role that attempt to update LLM connection configurations.
Mitigation Strategies

The vulnerability has been patched in Langfuse version 3.167.0.

Immediate mitigation steps include:

  • Upgrade Langfuse to version 3.167.0 or later, which enforces stricter write permissions on LLM connection test endpoints and requires a secret key when changing the base URL.
  • Restrict permissions so that only authorized users can update LLM connection configurations.
  • Audit existing LLM connections for suspicious baseUrl changes and reset any potentially compromised API keys.
  • Monitor and log all LLM connection update requests to detect and respond to unauthorized attempts.
Compliance Impact

This vulnerability allows an authenticated, low-privileged user with "member" role access to update an LLM connection to an attacker-controlled baseUrl, potentially exposing plaintext provider LLM API keys.

Exposure of sensitive API keys could lead to unauthorized access to data or services, which may result in violations of data protection regulations such as GDPR or HIPAA if personal or sensitive data is accessed or compromised.

Therefore, this flaw could negatively impact compliance with standards that require strict access controls and protection of sensitive credentials, as it undermines role-based access control and confidentiality.

The issue has been patched in version 3.167.0, which enforces stricter permissions and requires secret keys for base URL changes, mitigating the risk of unauthorized exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41487. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart