PatchSiren cyber security CVE debrief
CVE-2026-44707 chatwoot CVE debrief
A Pre-Account Takeover (Pre-ATO) vulnerability in Chatwoot's authentication flow allowed attackers to pre-register email addresses they did not own and retain persistent access even after legitimate owners signed in via OAuth. The flaw existed because email confirmation was not enforced before accounts became usable, and the OAuth flow silently confirmed existing accounts without invalidating attacker-set credentials. This enabled ongoing unauthorized access to victim data including PII, API keys, and other sensitive information. The vulnerability affects versions 2.14.0 through 4.12.x and was fixed in version 4.13.0.
- Vendor
- chatwoot
- Product
- Unknown
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Organizations running self-hosted Chatwoot instances between versions 2.14.0 and 4.12.x, particularly those with users who may sign in via both email/password and OAuth methods. Security teams responsible for customer engagement platform integrity and data protection. Compliance officers concerned with unauthorized access to PII and API credentials stored in Chatwoot dashboards.
Technical summary
The vulnerability stems from a logic flaw in Chatwoot's account linking mechanism. When an attacker pre-registers an email address with a password, the account remains unconfirmed but functional. When the legitimate email owner subsequently authenticates via Google OAuth or another OmniAuth provider, the system links the OAuth identity to the existing account and marks it as confirmed without requiring email verification or invalidating the attacker's password. This creates a persistent compromise where both the attacker and legitimate user can access the same account. The fix in 4.13.0 likely enforces email verification before account activation or invalidates password credentials upon OAuth linking, though specific technical details should be verified against the vendor's security advisory.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Chatwoot to version 4.13.0 or later to remediate this vulnerability.
- Review authentication logs for suspicious pre-registrations of email addresses that were later claimed via OAuth.
- Audit existing accounts for any that were created via email registration and subsequently linked to OAuth without password reset or credential invalidation.
- Implement additional monitoring for accounts where the authentication method changes from password-based to OAuth-based.
- Consider enforcing email verification requirements before allowing any account activity for email-registered accounts.
Evidence notes
Vulnerability confirmed via GitHub Security Advisory GHSA-8qxm-4p4p-cfhm with associated fix commit and pull request. CVSS 3.1 score of 6.8 (MEDIUM) reflects network attack vector, high attack complexity, required user interaction, and high impact to confidentiality and integrity. CWE-283 (Unverified Ownership) and CWE-287 (Improper Authentication) classifications apply.
Official resources
2026-05-26