Main Vulnerability Database Vulnerabilities #VU130051

SQL injection in Chatwoot - #VU130051

Published: May 5, 2026

Vulnerability identifier: #VU130051

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Chatwoot

Affected software:
Chatwoot

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to SQL injection in the conversation and contact filter APIs when processing filter requests that use custom attributes. A remote user can send a specially crafted filter payload to disclose sensitive information.

If no date or number custom attribute exists, one can be created through the custom attribute definitions endpoint, making the precondition trivial to satisfy.

Remediation

Install security update from vendor's website.

Sources

https://github.com/chatwoot/chatwoot/security/advisories/GHSA-9pgm-75gg-6948

SQL injection in Chatwoot - #VU130051

Detailed vulnerability description

Remediation

Sources

Please verify you're human