Executive Summary

This vulnerability in Langfuse versions 3.146.0 and below involves the /api/public/slack/install endpoint, which initiates Slack OAuth using a projectId provided by the client without any authentication or authorization. Because the projectId is preserved throughout the OAuth flow and used to store installations, an attacker can link their Slack workspace to any victim project by supplying a victim's projectId. This allows the attacker to receive prompt updates sent to Slack if the victim project has existing Prompt Slack Automations configured. The attacker cannot configure automations themselves but can replace or pre-register Slack integrations that may expose prompt data. The issue was fixed in version 3.147.0 by enforcing authentication and authorization checks on this endpoint. [2, 3]

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability allows an attacker to link their Slack workspace to your Langfuse project without your authorization. If your project has existing Prompt Slack Automations, the attacker could receive prompt updates intended for your team, potentially exposing sensitive prompt data managed by Langfuse. Although the attacker cannot configure automations themselves, they can intercept prompt notifications and replace existing Slack integrations. This could lead to unauthorized disclosure of prompt content and disruption of your Slack automation workflows. [2]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability potentially exposes prompt data managed by Langfuse to unauthorized Slack workspaces. However, it does not affect Langfuse Tracing data or LLM-as-a-Judge data, so personally identifiable information (PII) is not impacted. Therefore, while there is a risk of unauthorized data exposure, the vulnerability does not directly compromise PII or sensitive personal data governed by regulations like GDPR or HIPAA. Organizations should still review Slack integrations and access controls to maintain compliance and prevent unauthorized data sharing. [2]

Useful 0 Not Useful 0

Detection Guidance

Detection can involve monitoring for unauthorized Slack OAuth installations initiated via the /api/public/slack/install endpoint without authentication. You can check your server logs for unauthenticated or unauthorized requests to this endpoint, especially those including a projectId parameter. Look for HTTP 401 Unauthorized or 403 Forbidden responses indicating enforcement of authentication and authorization after patching. Additionally, review audit logs for Slack integration creation events to identify unexpected or suspicious installations. Specific commands depend on your logging setup, but for example, using grep on server logs: `grep '/api/public/slack/install' /path/to/access.log | grep -v '401'` to find potentially unauthorized calls before patching, or `grep 'Slack integration created' /path/to/audit.log` to review integration events. [2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Langfuse to version 3.147.0 or later, where the vulnerability is fixed by enforcing authentication and authorization on the /api/public/slack/install endpoint. Additionally, review existing Slack integrations in your project settings to ensure only authorized Slack workspaces are linked. Optionally, reconnect Slack workspaces to enforce proper authorization. Monitor audit logs for any suspicious Slack integration creation events and revoke any unauthorized Slack workspace links. [2, 3]

Useful 0 Not Useful 0