Description
Live Helper Chat is an open-source application that enables live support websites. In versions up to and including 4.52, three chat action endpoints (holdaction.php, blockuser.php, and transferchat.php) load chat objects by ID without calling `erLhcoreClassChat::hasAccessToRead()`, allowing operators to act on chats in departments they are not assigned to. Operators with the relevant role permissions (holduse, allowblockusers, allowtransfer) can hold, block users from, or transfer chats in departments they are not assigned to. This is a horizontal privilege escalation within one organization. As of time of publication, no known patched versions are available.
Published: 2026-02-26
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Permission Escalation (department-level access)
Action: Assess Impact
AI Analysis

Impact

LiveHelperChat versions up to 4.52 allow operators with certain role permissions to load chat objects by ID without performing a required read‑access check. As a result, operators can hold, block, or transfer chats belonging to departments to which they are not assigned, granting them unauthorized actions within the same organization. This flaw constitutes a horizontal privilege escalation that enables an operator to manipulate chats beyond their intended scope.

Affected Systems

LiveHelperChat (open‑source live support application) with versions 4.52 and earlier is affected. The vulnerability is present in the holdaction.php, blockuser.php, and transferchat.php endpoints, and operators possessing the holduse, allowblockusers, or allowtransfer permissions can exploit it within the same installation.

Risk and Exploitability

The CVSS score is 4.9, indicating moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an authenticated HTTP request to one of the affected endpoints by an operator who already has the relevant permission flags. Attackers could thereby manipulate chats in unapproved departments, affecting the confidentiality, integrity, and availability of support operations. No patched versions are currently available, meaning the flaw remains open for exploitation until a fix is released.

Generated by OpenCVE AI on April 17, 2026 at 14:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Await an official vendor patch and upgrade to a patched version as soon as it is released
  • If no patch is available immediately, limit the holduse, allowblockusers, and allowtransfer role permissions to only those operators who absolutely require them
  • Enable comprehensive logging and audit trails for hold, block, and transfer actions so that unauthorized activity can be detected and investigated promptly

Generated by OpenCVE AI on April 17, 2026 at 14:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Livehelperchat live Helper Chat
CPEs cpe:2.3:a:livehelperchat:live_helper_chat:*:*:*:*:*:*:*:*
Vendors & Products Livehelperchat live Helper Chat
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Livehelperchat
Livehelperchat livehelperchat
Vendors & Products Livehelperchat
Livehelperchat livehelperchat

Thu, 26 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Description Live Helper Chat is an open-source application that enables live support websites. In versions up to and including 4.52, three chat action endpoints (holdaction.php, blockuser.php, and transferchat.php) load chat objects by ID without calling `erLhcoreClassChat::hasAccessToRead()`, allowing operators to act on chats in departments they are not assigned to. Operators with the relevant role permissions (holduse, allowblockusers, allowtransfer) can hold, block users from, or transfer chats in departments they are not assigned to. This is a horizontal privilege escalation within one organization. As of time of publication, no known patched versions are available.
Title LiveHelperChat has department-level authorization bypass in holdaction, blockuser, and transferchat endpoints
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Livehelperchat Live Helper Chat Livehelperchat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T19:30:20.351Z

Reserved: 2026-02-25T03:11:36.691Z

Link: CVE-2026-27954

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T02:16:23.147

Modified: 2026-02-28T00:56:08.220

Link: CVE-2026-27954

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses