CVE-2026-24055

MEDIUM LAB

langfuse < 3.147.0 - Unauthenticated Slack Integration Hijacking via ProjectId Spoofing

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-24055. PoCs published by imzanggg.

AI-analyzed exploit summary This repository provides a detailed technical analysis and proof-of-concept for CVE-2026-24055, an improper access control vulnerability in Langfuse versions 3.89.0 to 3.146.0. The vulnerability allows unauthenticated attackers to bind their Slack workspace to any project via the `/api/public/slack/install` endpoint, leading to data leakage.

Description

Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved throughout the OAuth flow, and the callback stores installations based on this untrusted metadata. This allows an attacker to bind their Slack workspace to any project and potentially receive changes to prompts stored in Langfuse Prompt Management. An attacker can replace existing Prompt Slack Automation integrations or pre-register a malicious one, though the latter requires an authenticated user to unknowingly configure it despite visible workspace and channel indicators in the UI. This issue has been fixed in version 3.147.0.

Exploits (1)

nomisec WRITEUP

by imzanggg · poc

https://github.com/imzanggg/CVE-2026-24055-OAuth-Langfuse

View Code ZIP pw:eip

This repository provides a detailed technical analysis and proof-of-concept for CVE-2026-24055, an improper access control vulnerability in Langfuse versions 3.89.0 to 3.146.0. The vulnerability allows unauthenticated attackers to bind their Slack workspace to any project via the `/api/public/slack/install` endpoint, leading to data leakage.

Classification

Writeup 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Langfuse versions 3.89.0 to 3.146.0

No auth needed

Prerequisites: Docker · Slack app with OAuth credentials · Project ID of the victim

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 14, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory, Mitigation x_refsource_confirm

https://github.com/langfuse/langfuse/security/advisories/GHSA-pvq7-vvfj-p98x

Patch x_refsource_misc

https://github.com/langfuse/langfuse/commit/3adc89e4d72729eabef55e46888b8ce80a7e3b0a

View Patch ZIP pw:eip

Product, Release Notes x_refsource_misc

https://github.com/langfuse/langfuse/releases/tag/v3.147.0

Product x_refsource_misc

https://langfuse.com/docs/prompt-management/features/webhooks-slack-integrations

Scores

CVSS v3 5.3

EPSS 0.0004

EPSS Percentile 12.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Lab Environment

COMMUNITY

Community Lab

docker pull docker.io/langfuse/langfuse-worker:3.147.0

docker pull docker.io/langfuse/langfuse:3.147.0

docker pull docker.io/clickhouse/clickhouse-server

docker pull cgr.dev/chainguard/minio

docker pull docker.io/langfuse/langfuse-worker:3.146.0

+1 more images

https://github.com/langfuse/langfuse

https://github.com/imzanggg/CVE-2026-24055-OAuth-Langfuse

View in Library

Details

CWE

CWE-284 CWE-862

Status published

Products (1)

langfuse/langfuse 3.89.0 - 3.147.0

Published Jan 22, 2026

Tracked Since Feb 18, 2026