SB2026050587 - Multiple vulnerabilities in Chatwoot



SB2026050587 - Multiple vulnerabilities in Chatwoot

Published: May 5, 2026

Security Bulletin ID SB2026050587
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) SQL injection (CVE-ID: CVE-2026-44706)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to SQL injection in the conversation and contact filter APIs when processing filter requests that use custom attributes. A remote user can send a specially crafted filter payload to disclose sensitive information.

If no date or number custom attribute exists, one can be created through the custom attribute definitions endpoint, making the precondition trivial to satisfy.


2) SQL injection (CVE-ID: N/A)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to SQL injection in build_custom_attr_query and not_in_custom_attr_query when processing filter requests that reference a crafted custom attribute key. A remote user can create a custom attribute with a crafted attribute_key and then trigger a filter call to disclose sensitive information.

This vector applies regardless of the custom attribute's data type.


Remediation

Install update from vendor's website.