Horizontal Privilege Escalation Vulnerability in Live Helper Chat from Live Helper Chat
CVE-2026-27954

4.9MEDIUM

Key Information:

Vendor: Livehelperchat
Status: Livehelperchat
Vendor: CVE Published:; 26 February 2026

🔔 Create Livehelperchat Vulnerability Alert

What is CVE-2026-27954?

Live Helper Chat is an open-source application designed for live support on websites. In versions up to and including 4.52, a security issue exists in the chat action endpoints (holdaction.php, blockuser.php, and transferchat.php). These endpoints do not properly enforce access control by failing to call the erLhcoreClassChat::hasAccessToRead() method. This oversight allows operators with certain role permissions (holduse, allowblockusers, allowtransfer) to perform actions on chat sessions that are outside their assigned departments, leading to unauthorized control over chats and potential breaches of data privacy. As of the latest information, no patched versions have been released to address this vulnerability.

Affected Version(s)

livehelperchat <= 4.52

References

https://github.com/LiveHelperChat/livehelperchat/security...

x_refsource_CONFIRM

CVSS V4

Score:

4.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2026
Vulnerability Reserved
Feb 25, 2026

CVE-2026-27954 Data

JSON