{"data":{"id":"9f0f718a-cf64-434f-8a53-f60712d8ea63","title":"CVE-2026-24055: Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/sla","summary":"Langfuse versions 3.146.0 and earlier have a security flaw in the Slack integration endpoint that doesn't properly verify users before connecting their Slack workspace to a project. An attacker can exploit this to connect their own Slack workspace to any project without permission, potentially gaining access to prompt changes or replacing automation integrations (configurations that automatically perform tasks when triggered). This vulnerability affects the Prompt Management feature, which stores AI prompts that can be modified.","solution":"This issue has been fixed in version 3.147.0.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-24055","publishedAt":"2026-01-22T04:16:00.367Z","cveId":"CVE-2026-24055","cweIds":["CWE-284"],"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["Langfuse"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00036,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}