What is CVE-2026-24055?

CVE-2026-24055 is a vulnerability in Langfuse, classified under Improper Access Control. Published 2026-01-22.

Is CVE-2026-24055 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Langfuse

CVE-2026-24055

Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorizat…

EPSS: 0.000 (12.6th percentile) — read the EPSS interpretation.

Affected products

Langfuse — versions >= 3.89.0, < 3.147.0

Weakness classification (CWE)

CWE-284 — Improper Access Control

Public proof-of-concept exploits

imzanggg/CVE-2026-24055-OAuth-Langfuse

References

https://github.com/langfuse/langfuse/security/advisories/GHSA-pvq7-vvfj-p98x (x_refsource_CONFIRM)
https://github.com/langfuse/langfuse/commit/3adc89e4d72729eabef55e46888b8ce80a7e3b0a (x_refsource_MISC)
https://github.com/langfuse/langfuse/releases/tag/v3.147.0 (x_refsource_MISC)
https://langfuse.com/docs/prompt-management/features/webhooks-slack-integrations (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-24055?: CVE-2026-24055 is a vulnerability in Langfuse, classified under Improper Access Control. Published 2026-01-22.
Is CVE-2026-24055 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.