Skip to main content

Chatwoot CVE-2026-44706

| EUVD-2026-31913 HIGH
SQL Injection (CWE-89)
2026-05-26 GitHub_M
SQLi Chatwoot
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 09:34 vuln.today
Patch available
May 26, 2026 - 19:02 EUVD

DescriptionGitHub Advisory

Chatwoot is a customer engagement suite. From 2.2.0 to before 4.11.2, a SQL injection vulnerability exists in the conversation and contact filter APIs. When filtering by a custom attribute of type date or number using the is_greater_than or is_less_than operators, user-supplied values in the values field of the filter payload are interpolated directly into the SQL query without parameterization. Any authenticated user with access to an account can exploit this to execute arbitrary SQL via time-based blind injection. This affects /api/v1/accounts/{account_id}/conversations/filter, /api/v1/accounts/{account_id}/contacts/filter, and /api/v1/accounts/{account_id}/custom_attribute_definitions. This vulnerability is fixed in 4.11.2.

AnalysisAI

SQL injection in Chatwoot versions 2.2.0 through 4.11.1 allows any authenticated account user to execute arbitrary SQL via time-based blind injection by abusing unparameterized values in custom-attribute filter operators on the conversation, contact, and custom attribute definition APIs. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.03%, 8th percentile), but CVSS 8.5 with scope-changed confidentiality impact reflects the ability to read data beyond the attacker's account boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate as low-privilege account user
Delivery
Identify date or number custom attribute
Exploit
Craft filter payload with is_greater_than operator
Install
Inject time-based blind SQL into values field
C2
POST to conversations or contacts filter API
Execute
Measure response latency to extract data bit by bit
Impact
Exfiltrate cross-tenant or system data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Chatwoot user (CVSS PR:L) with access to at least one account that can invoke the filter APIs at /api/v1/accounts/{account_id}/conversations/filter, /api/v1/accounts/{account_id}/contacts/filter, or /api/v1/accounts/{account_id}/custom_attribute_definitions, and the target account must have at least one custom attribute defined with type date or number against which the attacker can submit a filter using the is_greater_than or is_less_than operator - string-type attributes and other operators are not vulnerable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N indicates a remotely reachable, low-complexity flaw requiring only low-privilege authentication and producing a scope change with high confidentiality impact - consistent with a tenant-scoped account user reading data outside their authorization boundary via blind SQLi. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or is invited as a low-privilege agent in a Chatwoot account, then sends a POST to /api/v1/accounts/{account_id}/conversations/filter with a filter targeting a date or number custom attribute and the is_greater_than operator, embedding a time-based blind SQL payload (e.g., a CASE/pg_sleep construct) in the values field. By measuring response latency across many crafted requests, the attacker exfiltrates data from other tenants' rows or system tables one bit at a time. …
Remediation Upgrade Chatwoot to 4.11.2 or later, which is the vendor-released patch that adds parameterization for the is_greater_than and is_less_than operators on date and number custom attributes; see the GitHub Security Advisory at https://github.com/chatwoot/chatwoot/security/advisories/GHSA-9pgm-75gg-6948 for the authoritative fix reference. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Chatwoot deployments and identify affected versions (2.2.0-4.11.1). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44706 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy