Executive Summary

CVE-2026-27954 is a vulnerability in Live Helper Chat versions up to 4.52 where three chat action endpoints (holdaction.php, blockuser.php, and transferchat.php) fail to properly check if an operator has permission to access a chat in a specific department.

These endpoints load chat objects by ID but do not call the function erLhcoreClassChat::hasAccessToRead(), which is responsible for enforcing department-level access control.

As a result, operators with the relevant role permissions can hold, block users from, or transfer chats in departments they are not assigned to, leading to horizontal privilege escalation within the organization.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows operators to perform actions on chats outside their authorized departments, such as holding chats, blocking users, or transferring chats.

This unauthorized access can lead to misuse of privileges, disruption of support operations, and potential interference with customer interactions.

Since it is a horizontal privilege escalation, it compromises the intended separation of duties and access controls within the organization.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves specific endpoints in LiveHelperChat (holdaction.php, blockuser.php, and transferchat.php) that allow operators to act on chats in departments they are not assigned to due to missing authorization checks.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor access logs for unusual usage of these endpoints by operators who should not have permissions for certain departments.'}, {'type': 'paragraph', 'content': 'Suggested commands include searching web server logs for requests to these endpoints, for example:'}, {'type': 'list_item', 'content': "grep 'holdaction.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep 'blockuser.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep 'transferchat.php' /var/log/apache2/access.log"}, {'type': 'paragraph', 'content': 'Additionally, review application logs or audit trails for operators performing hold, block, or transfer actions on chats outside their assigned departments.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Since no patched versions are available at this time, immediate mitigation involves restricting operator permissions and monitoring usage.

• Limit role permissions (holduse, allowblockusers, allowtransfer) to only trusted operators.
• Monitor and audit operator actions on the affected endpoints to detect unauthorized activity.
• Consider temporarily disabling or restricting access to the vulnerable endpoints (holdaction.php, blockuser.php, transferchat.php) if feasible.

The long-term fix is to apply the authorization check erLhcoreClassChat::hasAccessToRead() in the affected endpoints, but this requires code changes until an official patch is released.

Useful 0 Not Useful 0