Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-vjk4-h9ah-quau
SummaryLangfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved throughout the OAuth flow, and the callback stores installations based on this untrusted metadata. This allows an attacker to bind their Slack workspace to any project and potentially receive changes to prompts stored in Langfuse Prompt Management. An attacker can replace existing Prompt Slack Automation integrations or pre-register a malicious one, though the latter requires an authenticated user to unknowingly configure it despite visible workspace and channel indicators in the UI. This issue has been fixed in version 3.147.0.
Aliases
0
alias CVE-2026-24055
Fixed_packages
Affected_packages
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24055
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12684
published_at 2026-06-11T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12775
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24055
1
reference_url https://github.com/langfuse/langfuse/commit/3adc89e4d72729eabef55e46888b8ce80a7e3b0a
reference_id 3adc89e4d72729eabef55e46888b8ce80a7e3b0a
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T12:40:28Z/
url https://github.com/langfuse/langfuse/commit/3adc89e4d72729eabef55e46888b8ce80a7e3b0a
2
reference_url https://github.com/langfuse/langfuse/security/advisories/GHSA-pvq7-vvfj-p98x
reference_id GHSA-pvq7-vvfj-p98x
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T12:40:28Z/
url https://github.com/langfuse/langfuse/security/advisories/GHSA-pvq7-vvfj-p98x
3
reference_url https://github.com/langfuse/langfuse/releases/tag/v3.147.0
reference_id v3.147.0
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T12:40:28Z/
url https://github.com/langfuse/langfuse/releases/tag/v3.147.0
4
reference_url https://langfuse.com/docs/prompt-management/features/webhooks-slack-integrations
reference_id webhooks-slack-integrations
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T12:40:28Z/
url https://langfuse.com/docs/prompt-management/features/webhooks-slack-integrations
Weaknesses
0
cwe_id 284
name Improper Access Control
description The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Exploits
Severity_range_score6.3 - 6.3
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-vjk4-h9ah-quau