CVE-2026-27954
Horizontal Privilege Escalation in Live Helper Chat Chat Actions
Publication date: 2026-02-26
Last updated on: 2026-02-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| livehelperchat | live_helper_chat | to 4.52 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27954 is a vulnerability in Live Helper Chat versions up to 4.52 where three chat action endpoints (holdaction.php, blockuser.php, and transferchat.php) fail to properly check if an operator has permission to access a chat in a specific department.
These endpoints load chat objects by ID but do not call the function erLhcoreClassChat::hasAccessToRead(), which is responsible for enforcing department-level access control.
As a result, operators with the relevant role permissions can hold, block users from, or transfer chats in departments they are not assigned to, leading to horizontal privilege escalation within the organization.
How can this vulnerability impact me? :
This vulnerability allows operators to perform actions on chats outside their authorized departments, such as holding chats, blocking users, or transferring chats.
This unauthorized access can lead to misuse of privileges, disruption of support operations, and potential interference with customer interactions.
Since it is a horizontal privilege escalation, it compromises the intended separation of duties and access controls within the organization.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves specific endpoints in LiveHelperChat (holdaction.php, blockuser.php, and transferchat.php) that allow operators to act on chats in departments they are not assigned to due to missing authorization checks.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor access logs for unusual usage of these endpoints by operators who should not have permissions for certain departments.'}, {'type': 'paragraph', 'content': 'Suggested commands include searching web server logs for requests to these endpoints, for example:'}, {'type': 'list_item', 'content': "grep 'holdaction.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep 'blockuser.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep 'transferchat.php' /var/log/apache2/access.log"}, {'type': 'paragraph', 'content': 'Additionally, review application logs or audit trails for operators performing hold, block, or transfer actions on chats outside their assigned departments.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Since no patched versions are available at this time, immediate mitigation involves restricting operator permissions and monitoring usage.
- Limit role permissions (holduse, allowblockusers, allowtransfer) to only trusted operators.
- Monitor and audit operator actions on the affected endpoints to detect unauthorized activity.
- Consider temporarily disabling or restricting access to the vulnerable endpoints (holdaction.php, blockuser.php, transferchat.php) if feasible.
The long-term fix is to apply the authorization check erLhcoreClassChat::hasAccessToRead() in the affected endpoints, but this requires code changes until an official patch is released.