langfuse

v3.174.0 Feature

This release adds 4 notable features for engineering teams evaluating rollout.

Published 21d Tracing

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

analytics autogen evaluation langchain large-language-models llama-index

+12 more

llm llm-evaluation llm-observability llmops monitoring observability openai playground prompt-engineering prompt-management self-hosted ycombinator

Affected surfaces

auth rbac

ReleasePort's take

Moderate signal

editorial:auto 13d

v3.174.0 adds email verification to signup and tightens security across authentication and API access. Org-admin endpoints are now rate-limited, SSO config cache TTL reduced to 10 minutes, and API key management restricted to OWNER role.

Why it matters: Email verification secures signup. Rate-limiting org-admin endpoints mitigates API abuse. Reduced SSO cache TTL (10 min) strengthens multi-tenant config isolation. OWNER-only API key management prevents unauthorized access. Test auth flows in dev; deploy on next routine cycle.

Summary

AI summary

Email verification added on signup and multiple bugfixes across auth, web, blob export, SCIM, RBAC, agents, and CI.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Multi-tenant SSO config cache TTL reduced to 10 minutes Multi-tenant SSO config cache TTL reduced to 10 minutes Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Org-admin REST endpoints rate limited Org-admin REST endpoints rate limited Source: llm_adapter@2026-05-21 Confidence: low	—
Feature
Feature	Medium	Email verification enabled on signup Email verification enabled on signup Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	More default views added to v4 traces view More default views added to v4 traces view Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	ExportFieldGroups DB column and tRPC passthrough added for blob-export ExportFieldGroups DB column and tRPC passthrough added for blob-export Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Configurable field groups for events export introduced in blob-export Configurable field groups for events export introduced in blob-export Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	ExportSource and ExportFieldGroups exposed in public REST API for blob-export ExportSource and ExportFieldGroups exposed in public REST API for blob-export Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency
Dependency	Medium	OTEL SDK bumped to version 0.217.0 / 2.7.1 OTEL SDK bumped to version 0.217.0 / 2.7.1 Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Fast-URI dependency upgraded to 3.1.2 Fast-URI dependency upgraded to 3.1.2 Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Turbo dependency updated to 2.9.12 Turbo dependency updated to 2.9.12 Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	ProtobufJS bumped to at least version 7.5.6 ProtobufJS bumped to at least version 7.5.6 Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	Read scope enforced in annotation-queues typeById Read scope enforced in annotation-queues typeById Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	SSO configs refreshed after domain verification SSO configs refreshed after domain verification Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Remote experiment URLs validated before saving Remote experiment URLs validated before saving Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Audit log emitted for public blob storage deletion Audit log emitted for public blob storage deletion Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Correct units used for charts in dashboards Correct units used for charts in dashboards Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	AUTH_DOMAINS_WITH_SSO_ENFORCEMENT enforced on email-OTP path AUTH_DOMAINS_WITH_SSO_ENFORCEMENT enforced on email-OTP path Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Bedrock reasoning content handled in shared module Bedrock reasoning content handled in shared module Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	userName casing normalized in SCIM user POST flow userName casing normalized in SCIM user POST flow Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Audit logs added for validate and runNow in blobstorage-integration Audit logs added for validate and runNow in blobstorage-integration Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Webhook fetch reused for remote experiments Webhook fetch reused for remote experiments Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Organization API key management restricted to OWNER role Organization API key management restricted to OWNER role Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Org API keys tab hidden without key access in web UI Org API keys tab hidden without key access in web UI Source: llm_adapter@2026-05-21 Confidence: low	—
Refactor	Medium	Trace folder renamed and code duplication removed Trace folder renamed and code duplication removed Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

What's Changed

Features

feat(auth): email verification on signup (LFE-8709) by @Steffen911 in https://github.com/langfuse/langfuse/pull/12427
feat(web): Add more default views to v4 traces view by @bezbac in https://github.com/langfuse/langfuse/pull/13452
feat(blob-export): add exportFieldGroups DB column and tRPC passthrough by @niklassemmler in https://github.com/langfuse/langfuse/pull/13483
feat(blob-export): add configurable field groups for events export by @niklassemmler in https://github.com/langfuse/langfuse/pull/13493
feat(blob-export): expose exportSource and exportFieldGroups in public REST API by @niklassemmler in https://github.com/langfuse/langfuse/pull/13598

Fixes / Improvments

fix(annotation-queues): enforce read scope in typeById by @maxdeichmann in https://github.com/langfuse/langfuse/pull/13519
fix(web): emit audit log for public blob storage deletion by @maxdeichmann in https://github.com/langfuse/langfuse/pull/13517
fix(web): refresh sso configs after domain verification by @marksalpeter in https://github.com/langfuse/langfuse/pull/13522
fix(dashboards): Use correct units for charts by @bezbac in https://github.com/langfuse/langfuse/pull/13338
fix(auth): enforce AUTH_DOMAINS_WITH_SSO_ENFORCEMENT on the email-OTP path by @Steffen911 in https://github.com/langfuse/langfuse/pull/13526
fix(shared): handle Bedrock reasoning content by @hassiebp in https://github.com/langfuse/langfuse/pull/13527
fix(scim): normalize userName casing in user POST flow by @Steffen911 in https://github.com/langfuse/langfuse/pull/13528
fix(security): rate limit org-admin REST endpoints by @Steffen911 in https://github.com/langfuse/langfuse/pull/13529
fix(sso): reduce multi-tenant SSO config cache TTL to 10 minutes by @marksalpeter in https://github.com/langfuse/langfuse/pull/13525
fix(tool-parsing): ai sdk parsing of tools by @nimarb in https://github.com/langfuse/langfuse/pull/13533
fix(rbac): keep invite totalCount aligned with project filters by @maxdeichmann in https://github.com/langfuse/langfuse/pull/13518
fix(datasets): validate remote experiment URLs before saving by @maxdeichmann in https://github.com/langfuse/langfuse/pull/13520
fix(blobstorage-integration): add audit logs for validate and runNow by @maxdeichmann in https://github.com/langfuse/langfuse/pull/13535
fix: reuse webhook fetch for remote experiments by @maxdeichmann in https://github.com/langfuse/langfuse/pull/13536
fix(rbac): restrict organization API key management to OWNER by @Steffen911 in https://github.com/langfuse/langfuse/pull/13539
fix(web): hide org API keys tab without key access by @maxdeichmann in https://github.com/langfuse/langfuse/pull/13545
docs(agents): add production regression triage skills by @maxdeichmann in https://github.com/langfuse/langfuse/pull/13547
fix(agents): harden shared setup docs by @maxdeichmann in https://github.com/langfuse/langfuse/pull/13548
fix(scim): block removing last organization owner by @Steffen911 in https://github.com/langfuse/langfuse/pull/13530
fix(tool-parsing): ai sdk handle stringified jsons as well by @nimarb in https://github.com/langfuse/langfuse/pull/13550
fix(annotation-queues): fetch parent trace id from events table on cloud by @marliessophie in https://github.com/langfuse/langfuse/pull/13510
refactor(trace): rename folder and remove code duplication by @marliessophie in https://github.com/langfuse/langfuse/pull/13492
test: add column contract tests for blob export and API v2 field groups by @niklassemmler in https://github.com/langfuse/langfuse/pull/13481
docs(agents): add cloud cost analysis skill by @maxdeichmann in https://github.com/langfuse/langfuse/pull/13555
docs(skills): require human approval before Linear handoff by @maxdeichmann in https://github.com/langfuse/langfuse/pull/13563
docs(agents): add architecture principles by @maxdeichmann in https://github.com/langfuse/langfuse/pull/13564
docs(agents): route cross-repo context to navigator by @maxdeichmann in https://github.com/langfuse/langfuse/pull/13562
fix(shared): validate outbound fetch DNS at connection time by @wochinge in https://github.com/langfuse/langfuse/pull/13554
refactor(web): Migrate more icons to Spinner by @bezbac in https://github.com/langfuse/langfuse/pull/13573
fix(web): Table row spacing consistency by @bezbac in https://github.com/langfuse/langfuse/pull/13568
fix(filters): fallback to key input on empty key options by @bezbac in https://github.com/langfuse/langfuse/pull/13570
refactor(web): Clean up nextjs pages filetree by @bezbac in https://github.com/langfuse/langfuse/pull/13569
fix(tracing): Disable score columns by default in events table by @bezbac in https://github.com/langfuse/langfuse/pull/13578
fix(playground): make tools list scrollable when more than 4 are attached by @0xvasanth in https://github.com/langfuse/langfuse/pull/13439
docs(agents): add Datadog query recipes skill by @maxdeichmann in https://github.com/langfuse/langfuse/pull/13575
fix(web): use prompt model config for experiments by @wochinge in https://github.com/langfuse/langfuse/pull/13565
fix(sso): fall back to preferred_username/upn for Azure AD when email domain mismatches by @Steffen911 in https://github.com/langfuse/langfuse/pull/13465
fix(worker): add rows_dropped metric for ClickhouseWriter exhaust by @hello-args in https://github.com/langfuse/langfuse/pull/13488
fix(llm-api-keys): scope update by project id by @hassiebp in https://github.com/langfuse/langfuse/pull/13595
fix(annotation): introduce conditional read from events table for batch action by @marliessophie in https://github.com/langfuse/langfuse/pull/13585

Chores

chore(deps): bump otel sdk to 0.217.0 / 2.7.1 by @nimarb in https://github.com/langfuse/langfuse/pull/13581
chore(web): Use new logo by @bezbac in https://github.com/langfuse/langfuse/pull/13576
chore(deps): dedupe by @nimarb in https://github.com/langfuse/langfuse/pull/13580
chore(web): Up @codemirror/search + tests for NFKD matching by @bezbac in https://github.com/langfuse/langfuse/pull/13577
chore(web): Setup storybook by @bezbac in https://github.com/langfuse/langfuse/pull/13472
chore(deps): bump fast-uri to 3.1.2 by @nimarb in https://github.com/langfuse/langfuse/pull/13538
chore: add CH-insert based seeder documentation by @Steffen911 in https://github.com/langfuse/langfuse/pull/13504
chore(deps): bump fast-xml-builder to 1.1.7 by @nimarb in https://github.com/langfuse/langfuse/pull/13534
chore(deps): bump fast-uri to 3.1.1 by @nimarb in https://github.com/langfuse/langfuse/pull/13537
chore(deps): bump turbo to 2.9.12 by @nimarb in https://github.com/langfuse/langfuse/pull/13599
chore(deps): bump protobufjs to at least 7.5.6 by @nimarb in https://github.com/langfuse/langfuse/pull/13612
ci: tighten GitHub Actions cache policy by @wochinge in https://github.com/langfuse/langfuse/pull/13613
chore: document max scores limit behaviour on scores v2 API route by @sumerman in https://github.com/langfuse/langfuse/pull/13567
ci: add Claude Code security review workflow by @maxdeichmann in https://github.com/langfuse/langfuse/pull/13556
ci: add semgrep PR security scan by @maxdeichmann in https://github.com/langfuse/langfuse/pull/13566

New Contributors

@niklassemmler made their first contribution in https://github.com/langfuse/langfuse/pull/13481
@0xvasanth made their first contribution in https://github.com/langfuse/langfuse/pull/13439
@hello-args made their first contribution in https://github.com/langfuse/langfuse/pull/13488

Full Changelog: https://github.com/langfuse/langfuse/compare/v3.173.0...v3.174.0

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track langfuse

Get notified when new releases ship.

About langfuse

🪢 Open source LLM engineering platform: LLM Observability, metrics, evals, prompt management, playground, datasets. Integrates with OpenTelemetry, Langchain, OpenAI SDK, LiteLLM, and more. YC W23

All releases →