Server-Side Request Forgery in Chatwoot Webhook API
CVE-2026-5205

5.3MEDIUM

Key Information:

Vendor

Chatwoot

Status
Chatwoot
Vendor
CVE Published:
31 March 2026

What is CVE-2026-5205?

A vulnerability has been detected in Chatwoot's Webhook API, specifically in the Webhooks::Trigger function located in lib/webhooks/trigger.rb. This flaw is due to improper handling of the URL argument, which makes it susceptible to server-side request forgery. An attacker can exploit this vulnerability remotely, potentially leading to unauthorized access to internal services or resources. The exploit code is publicly available, intensifying the risk for users. Despite efforts to notify the vendor prior to disclosure, there has been no response.

Affected Version(s)

chatwoot 4.11.0

chatwoot 4.11.1

chatwoot 4.11.2

References

https://vuldb.com/vuln/354333
vdb-entrytechnical-description
https://vuldb.com/vuln/354333/cti
signaturepermissions-required
https://vuldb.com/submit/780305
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ghufran Khan (VulDB User)
VulDB
.