CVE-2026-44707
Deferred Deferred - Pending Action
Pre-Account Takeover in Chatwoot Authentication Flow

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover (Pre-ATO) vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email address they did not own and set a password. If the legitimate owner of that email later signed in to Chatwoot using Google OAuth (or another OmniAuth provider), the OAuth flow silently confirmed the existing account without invalidating the attacker's pre-set credentials. The attacker could then continue to log in with the password they had originally chosen and access any data the victim subsequently entered into the dashboard, including PII, API keys, and other sensitive information. This vulnerability is fixed in 4.13.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-44707
EUVD
EUVD-2026-31916
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
chatwoot chatwoot From 2.14.0 (inc) to 4.13.0 (exc)
chatwoot chatwoot 4.13.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-283 The product does not properly verify that a critical resource is owned by the proper entity.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to access sensitive data such as personally identifiable information (PII), API keys, and other confidential information by exploiting the authentication flow in Chatwoot. Unauthorized access to PII and sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Because the attacker can gain access without proper email confirmation and bypass legitimate authentication, this flaw undermines the integrity and confidentiality of user data, potentially resulting in non-compliance with standards that mandate secure authentication and data protection measures.

Organizations using affected versions of Chatwoot (2.14.0 to before 4.13.0) should upgrade to version 4.13.0 or later to remediate this issue and maintain compliance with relevant data protection regulations.

Executive Summary

CVE-2026-44707 is a Pre-Account Takeover (Pre-ATO) vulnerability in Chatwoot's authentication system affecting versions from 2.14.0 up to before 4.13.0.

The issue arises because email confirmation was not enforced before an account became usable. An attacker could pre-register an email address they did not own and set a password for that account.

When the legitimate owner of that email later signed in using Google OAuth or another OmniAuth provider, the OAuth flow would silently confirm the existing account without invalidating the attacker's pre-set password.

This allowed the attacker to continue logging in with the password they originally chose and access any data the victim entered into the dashboard, including personally identifiable information (PII), API keys, and other sensitive information.

The vulnerability was fixed in Chatwoot version 4.13.0 by rotating the password to a secure random value before confirming the account during the OAuth flow.

Impact Analysis

This vulnerability can allow an attacker to gain unauthorized access to your Chatwoot account by pre-registering your email address and setting a password before you authenticate via OAuth.

Once the attacker has access, they can view sensitive data you enter into the Chatwoot dashboard, including personally identifiable information (PII), API keys, and other confidential information.

The attacker’s access compromises the confidentiality and integrity of your data, potentially leading to data breaches or misuse of your account.

The vulnerability has a CVSS score of 6.8, indicating a moderate severity with high impact on confidentiality and integrity but no impact on availability.

Detection Guidance

Detection of this vulnerability involves auditing user accounts for unconfirmed registrations where an attacker may have pre-registered an email address they do not own and set a password.

Specifically, you should look for accounts that have a password set but have not completed email confirmation, as these accounts could be exploited via the OAuth login flow.

While no specific commands are provided in the resources, a practical approach would be to query your Chatwoot user database for accounts with unconfirmed email status but with passwords set.

  • Example SQL query to find such accounts: SELECT * FROM users WHERE email_confirmed = false AND encrypted_password IS NOT NULL;

Additionally, monitoring OAuth login events and correlating them with account confirmation status may help identify suspicious activity related to this vulnerability.

Mitigation Strategies

Immediate mitigation steps include upgrading Chatwoot to version 4.13.0 or later, where the vulnerability is fixed by rotating passwords to secure random values upon OAuth confirmation.

If upgrading immediately is not possible, temporary workarounds include disabling OAuth sign-in providers to prevent the exploit.

Another recommended step is to audit user accounts for unconfirmed registrations with passwords set and require those users to reset their passwords.

These steps help prevent attackers from accessing accounts using pre-set passwords after the legitimate owner authenticates via OAuth.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44707. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart