Description
Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved throughout the OAuth flow, and the callback stores installations based on this untrusted metadata. This allows an attacker to bind their Slack workspace to any project and potentially receive changes to prompts stored in Langfuse Prompt Management. An attacker can replace existing Prompt Slack Automation integrations or pre-register a malicious one, though the latter requires an authenticated user to unknowingly configure it despite visible workspace and channel indicators in the UI. This issue has been fixed in version 3.147.0.
Published: 2026-01-22
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Project Authorization Failure
Action: Patch
AI Analysis

Impact

The Langfuse platform exposes a public Slack installation endpoint that accepts a project identifier without requiring authentication. The endpoint begins an OAuth flow using the supplied projectId, preserves it throughout the exchange, and records the installation data under that project. This flaw allows an unauthenticated actor to link any Slack workspace to any Langfuse project, potentially exposing prompt updates or replacing existing prompt‑to‑Slack integrations. The weakness is a type of authorization bypass (CWE‑284) and insecure direct object reference (CWE‑862).

Affected Systems

All releases of Langfuse up to and including version 3.146.0 are affected. The vulnerability exists in the /api/public/slack/install endpoint used by every deployment of these versions.

Risk and Exploitability

The vulnerability scores moderate with a CVSS base of 6.3 and an EPSS estimate of less than 1 %, indicating very low current exploitation probability, but it is not listed in the CISA KEV catalog. An attacker can trigger the flaw by making an unauthenticated HTTP request to the public Slack install endpoint, which is typically reachable from any network that can reach the Langfuse instance. Successful exploitation would let the attacker associate their Slack workspace with an arbitrary project and receive or alter prompt data within that project. Because the exploit path requires only network access to the public API, the threat surface is broad, though the impact is limited to the affected project rather than the entire system.

Generated by OpenCVE AI on April 18, 2026 at 03:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Langfuse v3.147.0 or later to apply the fix.
  • If an upgrade cannot be performed immediately, block external access to the /api/public/slack/install endpoint using a firewall or reverse‑proxy rule until a patch is deployed.
  • Add ownership checks before initiating Slack integration so that only authenticated users can request a project’s Slack installation.

Generated by OpenCVE AI on April 18, 2026 at 03:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
CPEs cpe:2.3:a:langfuse:langfuse:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Langfuse
Langfuse langfuse
Vendors & Products Langfuse
Langfuse langfuse

Thu, 22 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 03:30:00 +0000

Type Values Removed Values Added
Description Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved throughout the OAuth flow, and the callback stores installations based on this untrusted metadata. This allows an attacker to bind their Slack workspace to any project and potentially receive changes to prompts stored in Langfuse Prompt Management. An attacker can replace existing Prompt Slack Automation integrations or pre-register a malicious one, though the latter requires an authenticated user to unknowingly configure it despite visible workspace and channel indicators in the UI. This issue has been fixed in version 3.147.0.
Title Langfuse Slack OAuth Installation Endpoint Lacks Authentication, Enabling Arbitrary Project Linking
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Langfuse Langfuse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T12:40:42.009Z

Reserved: 2026-01-20T22:30:11.778Z

Link: CVE-2026-24055

cve-icon Vulnrichment

Updated: 2026-01-22T12:40:37.715Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T04:16:00.367

Modified: 2026-02-17T17:46:42.970

Link: CVE-2026-24055

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:00:08Z

Weaknesses