CVE-2026-44706 chatwoot CVE debrief

Who should care

Organizations running Chatwoot versions 2.2.0 through 4.11.1, particularly those with multi-user deployments where authenticated users may have limited trust boundaries. Security teams monitoring for SQL injection vulnerabilities in customer engagement platforms. Developers maintaining Chatwoot deployments or forks.

Technical summary

The vulnerability resides in Chatwoot's filter API implementation for conversations and contacts. When processing filter queries with custom attributes of type `date` or `number` using comparison operators `is_greater_than` or `is_less_than`, the application fails to parameterize user input in the `values` field of the filter payload. This allows direct interpolation of attacker-controlled strings into SQL queries. The injection is exploitable as a time-based blind SQL injection, enabling authenticated users with account access to extract database contents or execute arbitrary SQL commands. The affected endpoints are: POST /api/v1/accounts/{account_id}/conversations/filter, POST /api/v1/accounts/{account_id}/contacts/filter, and related custom attribute definition endpoints. The vulnerability was introduced in version 2.2.0 and persisted through 4.11.1.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Chatwoot to version 4.11.2 or later to remediate the SQL injection vulnerability.
• If immediate patching is not possible, restrict access to the affected filter endpoints (/api/v1/accounts/{account_id}/conversations/filter, /api/v1/accounts/{account_id}/contacts/filter, and /api/v1/accounts/{account_id

Evidence notes

CVE published 2026-05-26T18:16:50.607Z; modified 2026-05-26T19:37:00.120Z. Advisory source: GitHub Security Advisory GHSA-9pgm-75gg-6948. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N. CWE-89 (SQL Injection).

Official resources