EUVD-2026-31916Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover (Pre-ATO) vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email address they did not own and set a password. If the legitimate owner of that email later signed in to Chatwoot using Google OAuth (or another OmniAuth provider), the OAuth flow silently confirmed the existing account without invalidating the attacker's pre-set credentials. The attacker could then continue to log in with the password they had originally chosen and access any data the victim subsequently entered into the dashboard, including PII, API keys, and other sensitive information. This vulnerability is fixed in 4.13.0.
AnalysisAI
Pre-Account Takeover in Chatwoot's OmniAuth integration affects all releases from 2.14.0 through 4.12.x, allowing an attacker who pre-registers a victim's email address to retain persistent login access after the legitimate owner authenticates via Google OAuth. The OAuth callback controller failed to invalidate attacker-set password credentials when confirming a pre-existing unconfirmed account, leaving the attacker's session viable indefinitely. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the Chatwoot instance has an OmniAuth provider (specifically Google OAuth2 or any other configured OmniAuth integration) enabled and reachable for user registration and login. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 6.8 (Medium) with vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N reflects a network-accessible attack requiring no attacker privileges but imposing high complexity (attacker must know and claim the victim's email before the victim's first registration) and user interaction (victim must choose OAuth login). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers a target's corporate email address (e.g., from a LinkedIn profile or leaked contact list), navigates to a public-facing Chatwoot instance's registration page, and pre-registers that email with a password they control before the legitimate user ever creates an account. When the legitimate user later clicks 'Sign in with Google,' the OmniAuth callback silently confirms the pre-existing unconfirmed account without resetting the password, and the attacker subsequently logs in with their original credentials to access the victim's customer support conversations, stored PII, and API keys. … |
| Remediation | Upgrade to Chatwoot 4.13.0, the vendor-confirmed fixed release documented in security advisory GHSA-8qxm-4p4p-cfhm and implemented via commit 211fb1102dd208daee414cff1b8d71ea27ac5ebf (https://github.com/chatwoot/chatwoot/commit/211fb1102dd208daee414cff1b8d71ea27ac5ebf) and PR #13878 (https://github.com/chatwoot/chatwoot/pull/13878). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today