Responsible Disclosure
We value the security community and prioritize the security of our systems. We encourage the responsible disclosure of security vulnerabilities to help us protect the security and privacy of our users and customers.
Reporting a Vulnerability
If you believe you have found a security vulnerability in Langfuse, please send an actionable vulnerability report to security@langfuse.com.
Please include the following details in your report:
- A clear description of the vulnerability, including its potential impact.
- Steps to reproduce the vulnerability, including any specific configurations or conditions required.
- Any proof-of-concept code, scripts, or screenshots that demonstrate the vulnerability.
We will acknowledge receipt of your report, typically within 2 business days, and will work with you to understand and resolve the issue.
Focus Areas
- Improper or missing authorization checks
- Insecure role assignments or privilege escalation
- Ability to access resources or perform actions outside assigned permissions, especially across organizations
Out of Scope
The following issues are considered out of scope and will not be accepted:
- Denial of Service (DoS) attacks, including volumetric attacks or repetitive API calls based on captured frontend calls
- Missing rate limiting without demonstrating a concrete security impact
- Automated scanner output without manual verification or a working proof of concept
- Missing security headers (e.g., CSP, X-Frame-Options) without a demonstrated exploit or missing Secure/HttpOnly flag on non-sensitive cookies
- Unsolicited messages Testing that would result in sending spam or other unsolicited messages to Langfuse users
- Social engineering or phishing attacks against Langfuse employees or users
Our Commitment
- We will investigate reported vulnerabilities promptly.
- We will keep you informed of our progress.
- We will take appropriate steps to remediate confirmed vulnerabilities.
- We will publicly acknowledge your contribution if you wish, once the vulnerability is fixed.
Bug Bounty Program
Please note that we currently do not operate a formal bug bounty program with monetary rewards.
Hall of Fame
We appreciate the efforts of security researchers who help keep Langfuse secure. The following individuals have responsibly disclosed vulnerabilities that led to improvements:
| Reported by | PR with fix | Description |
|---|---|---|
| Ather Iqbal | #4434 | Password complexity + block links in user name |
| Milan Jain | #6703 | Hyperlink injection in organization invite email |
| pyozzi | #8821 | SSRF vulnerability in webhooks |
| depthfirst | #9027, #9028 | Protect background migration endpoints |
| Carsten Csiky | #10223 | Do not expose resolved but blocked IPs in user facing error messages. |
| Team-DisclosureX Cybrgen, J Sonali | #10136, CVE-2025-64504 | Cross‑organization enumeration of member & invitation lists via project membership APIs |
| David Bors at Snyk Security Labs | #10426, GHSA-w9pw-c549-5m6w | SSO Account Takeover via CSRF or phishing attack |
| Sankalp Tripathi | #10603 | Hyperlink injection in welcome email |
| Ophir Silverman (BleuCPU) | #10866 | Denial of Service using expensive loop rendering in LLM as a Judge |
| Faizan Raza / Kolega.dev | #11311 | SSRF vulnerability in Posthog Integration |
| Faizan Raza / Kolega.dev | #11395 | Unencrypted Blob Storage Integration Secret in Postgres when created via API |
Contact
For all security-related inquiries, including vulnerability disclosures, please contact security@langfuse.com.