CVE-2024-32881

9.8 CRITICAL
Published: April 26, 2024 Modified: April 15, 2026
View on NVD

Description

Danswer is the AI Assistant connected to company's docs, apps, and people. Danswer is vulnerable to unauthorized access to GET/SET of Slack Bot Tokens. Anyone with network access can steal slack bot tokens and set them. This implies full compromise of the customer's slack bot, leading to internal Slack access. This issue was patched in version 3.63.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/danswer-ai/danswer/commit/89ff07a96b41be9e05256bd252105be233f4d28a
Source: security-advisories@github.com
https://github.com/danswer-ai/danswer/commit/bd7e21a6388775e850d6f716675a893c72881e56
Source: security-advisories@github.com
https://github.com/danswer-ai/danswer/security/advisories/GHSA-xr9w-3ggr-hr6j
Source: security-advisories@github.com
https://github.com/danswer-ai/danswer/commit/89ff07a96b41be9e05256bd252105be233f4d28a
Source: af854a3a-2127-422b-91ae-364da2661108
https://github.com/danswer-ai/danswer/commit/bd7e21a6388775e850d6f716675a893c72881e56
Source: af854a3a-2127-422b-91ae-364da2661108
https://github.com/danswer-ai/danswer/security/advisories/GHSA-xr9w-3ggr-hr6j
Source: af854a3a-2127-422b-91ae-364da2661108

6 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.8 / 10.0
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-285

Related CVEs

CVE-2026-6398 N/A
CVE-2026-40261 8.8
CVE-2026-40186 6.1
CVE-2026-40176 7.8
CVE-2026-40173 9.4