langfuse

v3.178.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1d Tracing

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

analytics autogen evaluation langchain large-language-models llama-index

+12 more

llm llm-evaluation llm-observability llmops monitoring observability openai playground prompt-engineering prompt-management self-hosted ycombinator

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 1d

The audit_logs batch export API now requires the `auditLogs:read` entitlement and `audit-logs` permission. The Langfuse agent no longer mandates the `LANGFUSE_AWS_BEDROCK_REGION` setting.

Why it matters: Enforcing read entitlement for audit log exports (severity 90) safeguards sensitive logs; removing the region precondition (severity 40) simplifies configuration.

Summary

AI summary

Updates Fixes / Improvements, Chores, and agent across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Enforces auditLogs:read and audit-logs entitlement for audit_logs batch exports. Enforces auditLogs:read and audit-logs entitlement for audit_logs batch exports. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature
Feature	Low	Adds optional id parameter to `upsertDataset` in MCP. Adds optional id parameter to `upsertDataset` in MCP. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Low	Connects in‑app agent to Langfuse MCP via langfuse MCP. Connects in‑app agent to Langfuse MCP via langfuse MCP. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Low	Derives code evaluation support from dispatcher in web UI. Derives code evaluation support from dispatcher in web UI. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix
Bugfix	Medium	Removes explicit `LANGFUSE_AWS_BEDROCK_REGION` precondition from agent. Removes explicit `LANGFUSE_AWS_BEDROCK_REGION` precondition from agent. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Avoids duplicated basePath in Change Password link UI. Avoids duplicated basePath in Change Password link UI. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Improves trace detail header spacing in UI. Improves trace detail header spacing in UI. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Adds callout for v4 when dataset run items load slowly. Adds callout for v4 when dataset run items load slowly. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Ensures race‑safety of `createAnnotationQueueForApi` function. Ensures race‑safety of `createAnnotationQueueForApi` function. Source: llm_adapter@2026-06-02 Confidence: high	—

Full changelog

What's Changed

Features

feat(agent): Connect in-app agent to langfuse MCP by @bezbac in https://github.com/langfuse/langfuse/pull/13747
feat(web): derive code eval support from dispatcher by @wochinge in https://github.com/langfuse/langfuse/pull/13979
feat(mcp): Add optional id to upsertDataset by @bezbac in https://github.com/langfuse/langfuse/pull/13946

Fixes / Improvements

fix(security): enforce auditLogs:read and audit-logs entitlement for audit_logs batch exports by @niklassemmler in https://github.com/langfuse/langfuse/pull/13980
refactor(comments): Make comment TRPC routes read from events table by @bezbac in https://github.com/langfuse/langfuse/pull/13473
fix(agent): Remove explicit LANGFUSE_AWS_BEDROCK_REGION precondition by @bezbac in https://github.com/langfuse/langfuse/pull/13991
refactor: Remove void operator usages by @bezbac in https://github.com/langfuse/langfuse/pull/13963
refactor: Fix void operator linting issues by @bezbac in https://github.com/langfuse/langfuse/pull/13998
fix(ui): better trace detail header spacings by @nkabardin in https://github.com/langfuse/langfuse/pull/13992
fix(datasets): Add callout for v4 if dataset run items are loading too long by @bezbac in https://github.com/langfuse/langfuse/pull/13970
fix(web): avoid duplicated basePath in Change Password link ; fixes #13736 by @zinodynn in https://github.com/langfuse/langfuse/pull/13738
fix(annotation-queues): Race-safety of createAnnotationQueueForApi by @bezbac in https://github.com/langfuse/langfuse/pull/13971

Chores

chore(worker): add eval execution span attributes by @hassiebp in https://github.com/langfuse/langfuse/pull/13961
chore: point playwright folder to /tmp by @niklassemmler in https://github.com/langfuse/langfuse/pull/13860

New Contributors

@nkabardin made their first contribution in https://github.com/langfuse/langfuse/pull/13992
@zinodynn made their first contribution in https://github.com/langfuse/langfuse/pull/13738

Full Changelog: https://github.com/langfuse/langfuse/compare/v3.177.1...v3.178.0

Security Fixes

Enforce auditLogs:read and audit-logs entitlement for audit_logs batch exports

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track langfuse

Get notified when new releases ship.

About langfuse

🪢 Open source LLM engineering platform: LLM Observability, metrics, evals, prompt management, playground, datasets. Integrates with OpenTelemetry, Langchain, OpenAI SDK, LiteLLM, and more. YC W23

All releases →