Pre-Account Takeover Vulnerability in Chatwoot Customer Engagement Suite
CVE-2026-44707

6.8MEDIUM

Key Information:

Vendor

Chatwoot

Status
Chatwoot
Vendor
CVE Published:
26 May 2026

What is CVE-2026-44707?

The Chatwoot customer engagement suite has a significant vulnerability in its authentication system, present in versions ranging from 2.14.0 to just before 4.13.0. An attacker could potentially manipulate the account creation process by pre-registering an email address not belonging to them. This bypassed the necessary email confirmation step, allowing them to set a password for the account. If the legitimate owner later logged in via Google OAuth or another OmniAuth provider, the system would mistakenly validate the account without addressing the attacker’s preset credentials. As a result, the attacker could gain access to sensitive information entered by the legitimate user, including personally identifiable information (PII) and API keys. This vulnerability has been resolved in version 4.13.0, emphasizing the importance of ensuring that proper account validation measures are in place.

Affected Version(s)

chatwoot >= 2.14.0, < 4.13.0

References

https://github.com/chatwoot/chatwoot/security/advisories/...
x_refsource_CONFIRM
https://github.com/chatwoot/chatwoot/pull/13878
x_refsource_MISC
https://github.com/chatwoot/chatwoot/commit/211fb1102dd20...
x_refsource_MISC

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.