CVE-2026-24055
- EPSS 0.04%
- Veröffentlicht 22.01.2026 03:07:03
- Zuletzt bearbeitet 17.02.2026 17:46:42
Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The pr...
CVE-2025-65107
- EPSS 0.02%
- Veröffentlicht 21.11.2025 21:49:18
- Zuletzt bearbeitet 03.12.2025 15:24:37
Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTH_<PROVIDER>_CHECK setting, a potential account t...
- EPSS 0.08%
- Veröffentlicht 10.11.2025 21:51:36
- Zuletzt bearbeitet 02.12.2025 19:04:30
Langfuse is an open source large language model engineering platform. Starting in version 2.70.0 and prior to versions 2.95.11 and 3.124.1, in certain project membership APIs, the server trusted a user‑controlled orgId and used it in authorization ch...
CVE-2025-59305
- EPSS 0.1%
- Veröffentlicht 24.09.2025 18:15:42
- Zuletzt bearbeitet 02.12.2025 18:09:52
Improper authorization in the background migration endpoints of Langfuse 3.1 before d67b317 allows any authenticated user to invoke migration control functions. This can lead to data corruption or denial of service through unauthorized access to TRPC...
- EPSS 0.04%
- Veröffentlicht 01.09.2025 22:02:09
- Zuletzt bearbeitet 02.12.2025 19:04:22
A security flaw has been discovered in Langfuse up to 3.88.0. Affected by this vulnerability is the function promptChangeEventSourcing of the file web/src/features/prompts/server/routers/promptRouter.ts of the component Webhook Handler. Performing ma...