CVE-2026-41487: Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, the
Summary
Langfuse, an open source platform for managing large language models, had a role-based access control flaw (a security issue where user permissions weren't properly enforced) in versions 3.68.0 through 3.166.9 that allowed low-privileged project members to redirect API requests to attacker-controlled servers, potentially exposing sensitive API keys. The vulnerability required the attacker to already have basic access to a project as a member.
Solution / Mitigation
Update to Langfuse version 3.167.0 or later, where the issue has been patched.
Vulnerability Details
EPSS: 0.0%
May 8, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41487
First tracked: May 8, 2026 at 02:11 PM
Classified by LLM (prompt v3) · confidence: 92%