Can you explain this vulnerability to me?

CVE-2026-44706 is a SQL injection vulnerability in the Chatwoot customer engagement suite, affecting versions from 2.2.0 up to before 4.11.2.

The vulnerability occurs in the conversation and contact filter APIs when filtering by custom attributes of type date or number using the is_greater_than or is_less_than operators.

User-supplied values in the filter payload are directly inserted into SQL queries without proper parameterization, allowing authenticated users to execute arbitrary SQL commands via time-based blind injection.

This can be exploited through endpoints such as /api/v1/accounts/{account_id}/conversations/filter, /api/v1/accounts/{account_id}/contacts/filter, and /api/v1/accounts/{account_id}/custom_attribute_definitions.

Additionally, a related issue involves unparameterized interpolation of attribute keys in JSON path expressions, enabling SQL injection regardless of attribute data type.

The vulnerability has been fixed in Chatwoot version 4.11.2.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows an authenticated user with access to an account to execute arbitrary SQL commands on the backend database.

An attacker can exploit this to read data across tenant boundaries, potentially accessing sensitive information such as user emails, bcrypt password hashes, API access tokens, conversation contents, contact personally identifiable information (PII), and integration credentials.

Even if an account does not have date or number custom attributes, an attacker can create such attributes via the public custom attribute definitions endpoint, making exploitation easier.

The impact includes unauthorized data disclosure and potential compromise of user accounts and integrations.

Due to the severity, users are advised to upgrade immediately or apply temporary mitigations such as restricting access to vulnerable endpoints and auditing or rotating credentials if exploitation is suspected.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring and analyzing requests to the affected Chatwoot API endpoints that involve filtering by custom attributes of type date or number using the is_greater_than or is_less_than operators.

Specifically, look for POST requests to the following endpoints with suspicious payloads that include user-supplied values directly interpolated into SQL queries without parameterization:

• /api/v1/accounts/{account_id}/conversations/filter
• /api/v1/accounts/{account_id}/contacts/filter
• /api/v1/accounts/{account_id}/custom_attribute_definitions

Commands to detect exploitation attempts could include using network monitoring tools like tcpdump or Wireshark to capture HTTP POST requests to these endpoints and inspecting the payloads for the use of is_greater_than or is_less_than operators with unusual or crafted values.

For example, using curl or similar tools to test the endpoints with crafted payloads can help verify if the system is vulnerable.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading Chatwoot to version 4.11.2 or later, where the vulnerability has been fixed.

If upgrading immediately is not possible, temporary mitigations include:

• Restrict access to the vulnerable API endpoints (/api/v1/accounts/{account_id}/conversations/filter, /contacts/filter, /custom_attribute_definitions) at the reverse-proxy or Web Application Firewall (WAF) layer.
• Remove any date and number custom attributes that could be exploited.
• Audit and rotate credentials such as user passwords, API access tokens, and integration credentials if exploitation is suspected.

Useful 0 Not Useful 0