CVE-2026-44707
Pre-Account Takeover in Chatwoot Authentication Flow
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chatwoot | chatwoot | From 2.14.0 (inc) to 4.13.0 (exc) |
| chatwoot | chatwoot | 4.13.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-283 | The product does not properly verify that a critical resource is owned by the proper entity. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44707 is a Pre-Account Takeover (Pre-ATO) vulnerability in Chatwoot's authentication system affecting versions from 2.14.0 up to before 4.13.0.
The issue arises because email confirmation was not enforced before an account became usable. An attacker could pre-register an email address they did not own and set a password for that account.
When the legitimate owner of that email later signed in using Google OAuth or another OmniAuth provider, the OAuth flow would silently confirm the existing account without invalidating the attacker's pre-set password.
This allowed the attacker to continue logging in with the password they originally chose and access any data the victim entered into the dashboard, including personally identifiable information (PII), API keys, and other sensitive information.
The vulnerability was fixed in Chatwoot version 4.13.0 by rotating the password to a secure random value before confirming the account during the OAuth flow.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to gain unauthorized access to your Chatwoot account by pre-registering your email address and setting a password before you authenticate via OAuth.
Once the attacker has access, they can view sensitive data you enter into the Chatwoot dashboard, including personally identifiable information (PII), API keys, and other confidential information.
The attackerβs access compromises the confidentiality and integrity of your data, potentially leading to data breaches or misuse of your account.
The vulnerability has a CVSS score of 6.8, indicating a moderate severity with high impact on confidentiality and integrity but no impact on availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves auditing user accounts for unconfirmed registrations where an attacker may have pre-registered an email address they do not own and set a password.
Specifically, you should look for accounts that have a password set but have not completed email confirmation, as these accounts could be exploited via the OAuth login flow.
While no specific commands are provided in the resources, a practical approach would be to query your Chatwoot user database for accounts with unconfirmed email status but with passwords set.
- Example SQL query to find such accounts: SELECT * FROM users WHERE email_confirmed = false AND encrypted_password IS NOT NULL;
Additionally, monitoring OAuth login events and correlating them with account confirmation status may help identify suspicious activity related to this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Chatwoot to version 4.13.0 or later, where the vulnerability is fixed by rotating passwords to secure random values upon OAuth confirmation.
If upgrading immediately is not possible, temporary workarounds include disabling OAuth sign-in providers to prevent the exploit.
Another recommended step is to audit user accounts for unconfirmed registrations with passwords set and require those users to reset their passwords.
These steps help prevent attackers from accessing accounts using pre-set passwords after the legitimate owner authenticates via OAuth.