CVE-2026-44706
Deferred Deferred - Pending Action
SQL Injection in Chatwoot via Date/Number Filters

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
Chatwoot is a customer engagement suite. From 2.2.0 to before 4.11.2, a SQL injection vulnerability exists in the conversation and contact filter APIs. When filtering by a custom attribute of type date or number using the is_greater_than or is_less_than operators, user-supplied values in the values field of the filter payload are interpolated directly into the SQL query without parameterization. Any authenticated user with access to an account can exploit this to execute arbitrary SQL via time-based blind injection. This affects /api/v1/accounts/{account_id}/conversations/filter, /api/v1/accounts/{account_id}/contacts/filter, and /api/v1/accounts/{account_id}/custom_attribute_definitions. This vulnerability is fixed in 4.11.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-44706
EUVD
EUVD-2026-31913
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chatwoot chatwoot From 2.2.0 (inc) to 4.11.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44706 is a SQL injection vulnerability in the Chatwoot customer engagement suite, affecting versions from 2.2.0 up to before 4.11.2.

The vulnerability occurs in the conversation and contact filter APIs when filtering by custom attributes of type date or number using the is_greater_than or is_less_than operators.

User-supplied values in the filter payload are directly inserted into SQL queries without proper parameterization, allowing authenticated users to execute arbitrary SQL commands via time-based blind injection.

This can be exploited through endpoints such as /api/v1/accounts/{account_id}/conversations/filter, /api/v1/accounts/{account_id}/contacts/filter, and /api/v1/accounts/{account_id}/custom_attribute_definitions.

Additionally, a related issue involves unparameterized interpolation of attribute keys in JSON path expressions, enabling SQL injection regardless of attribute data type.

The vulnerability has been fixed in Chatwoot version 4.11.2.

Impact Analysis

This vulnerability allows an authenticated user with access to an account to execute arbitrary SQL commands on the backend database.

An attacker can exploit this to read data across tenant boundaries, potentially accessing sensitive information such as user emails, bcrypt password hashes, API access tokens, conversation contents, contact personally identifiable information (PII), and integration credentials.

Even if an account does not have date or number custom attributes, an attacker can create such attributes via the public custom attribute definitions endpoint, making exploitation easier.

The impact includes unauthorized data disclosure and potential compromise of user accounts and integrations.

Due to the severity, users are advised to upgrade immediately or apply temporary mitigations such as restricting access to vulnerable endpoints and auditing or rotating credentials if exploitation is suspected.

Detection Guidance

This vulnerability can be detected by monitoring and analyzing requests to the affected Chatwoot API endpoints that involve filtering by custom attributes of type date or number using the is_greater_than or is_less_than operators.

Specifically, look for POST requests to the following endpoints with suspicious payloads that include user-supplied values directly interpolated into SQL queries without parameterization:

  • /api/v1/accounts/{account_id}/conversations/filter
  • /api/v1/accounts/{account_id}/contacts/filter
  • /api/v1/accounts/{account_id}/custom_attribute_definitions

Commands to detect exploitation attempts could include using network monitoring tools like tcpdump or Wireshark to capture HTTP POST requests to these endpoints and inspecting the payloads for the use of is_greater_than or is_less_than operators with unusual or crafted values.

For example, using curl or similar tools to test the endpoints with crafted payloads can help verify if the system is vulnerable.

Mitigation Strategies

Immediate mitigation steps include upgrading Chatwoot to version 4.11.2 or later, where the vulnerability has been fixed.

If upgrading immediately is not possible, temporary mitigations include:

  • Restrict access to the vulnerable API endpoints (/api/v1/accounts/{account_id}/conversations/filter, /contacts/filter, /custom_attribute_definitions) at the reverse-proxy or Web Application Firewall (WAF) layer.
  • Remove any date and number custom attributes that could be exploited.
  • Audit and rotate credentials such as user passwords, API access tokens, and integration credentials if exploitation is suspected.
Compliance Impact

This SQL injection vulnerability allows authenticated attackers to access and exfiltrate sensitive information such as user emails, bcrypt password hashes, API access tokens, conversation contents, contact personally identifiable information (PII), and integration credentials across tenant boundaries.

Such unauthorized access and potential data breaches can lead to non-compliance with common data protection standards and regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive data to protect user privacy and ensure data security.

Therefore, exploitation of this vulnerability could result in violations of these regulations due to exposure of sensitive personal data and credentials.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44706. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart