SB2026050587 - Multiple vulnerabilities in Chatwoot
Published: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) SQL injection (CVE-ID: CVE-2026-44706)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to SQL injection in the conversation and contact filter APIs when processing filter requests that use custom attributes. A remote user can send a specially crafted filter payload to disclose sensitive information.
If no date or number custom attribute exists, one can be created through the custom attribute definitions endpoint, making the precondition trivial to satisfy.
2) SQL injection (CVE-ID: N/A)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to SQL injection in build_custom_attr_query and not_in_custom_attr_query when processing filter requests that reference a crafted custom attribute key. A remote user can create a custom attribute with a crafted attribute_key and then trigger a filter call to disclose sensitive information.
This vector applies regardless of the custom attribute's data type.
Remediation
Install update from vendor's website.