CVE-2026-44707

Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover (Pre-ATO) vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email address they did not own and set a password. If the legitimate owner of that email later signed in to Chatwoot using Google OAuth (or another OmniAuth provider), the OAuth flow silently confirmed the existing account without invalidating the attacker's pre-set credentials. The attacker could then continue to log in with the password they had originally chosen and access any data the victim subsequently entered into the dashboard, including PII, API keys, and other sensitive information. This vulnerability is fixed in 4.13.0.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/chatwoot/chatwoot/commit/211fb1102dd208daee414cff1b8d71ea27ac5ebf
https://github.com/chatwoot/chatwoot/pull/13878
https://github.com/chatwoot/chatwoot/security/advisories/GHSA-8qxm-4p4p-cfhm

Configurations

No configuration.

History

26 May 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-26 18:16

Updated : 2026-05-26 19:37

NVD link : CVE-2026-44707

Mitre link : CVE-2026-44707

CVE.ORG link : CVE-2026-44707

JSON object : View

Products Affected

No product.

CWE

CWE-283

Unverified Ownership

CWE-287

Improper Authentication

6.8 /10