SQL injection in Chatwoot - #VU130053
Published: May 5, 2026
Chatwoot
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to SQL injection in build_custom_attr_query and not_in_custom_attr_query when processing filter requests that reference a crafted custom attribute key. A remote user can create a custom attribute with a crafted attribute_key and then trigger a filter call to disclose sensitive information.
This vector applies regardless of the custom attribute's data type.