CVE-2026-44633 - Vulnerability Details

- Live Helper Chat: REST API chat update accepts arbitrary chat fields across department boundaries

Description

Live Helper Chat is an open-source application that enables live support websites. In 4.84v, the Live Helper Chat REST API chat update endpoint allows a REST user with lhchat/use to update a chat in a department they cannot read. The endpoint accepts arbitrary chat object fields, so the user can change the chat hash and status and then access or tamper with the chat through visitor/widget paths. The same write primitive can set operation_admin, which is later emitted as operator-side JavaScript.

Published: 2026-05-14

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Live Helper Chat REST API chat update endpoint in version 4.84 allows an authenticated user with the lhchat/use permission to modify any field of a chat object. The API does not enforce department boundaries, so the attacker can change critical properties such as the chat hash, status, and the operation_admin flag. By altering the hash and status a user can gain unauthorized read or write access to chats in other departments, and by setting operation_admin the attacker can inject malicious JavaScript that is later rendered in operator‑side pages. The weakness corresponds to missing authorization controls during update, identified as CWE‑863.

Affected Systems

LiveHelperChat, the open‑source live‑support platform, is affected when running version 4.84. The flaw is contained to users who have the lhchat/use scope regardless of their department read permissions.

Risk and Exploitability

The CVSS score of 8.1 indicates a high‑severity vulnerability. Because the API requires only a single service‑level permission that is often granted to authenticated REST clients, the barrier to exploitation is low for authorized users. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, but its high impact and the ease of triggering it mean that attackers could compromise chat integrity and inject code without needing additional privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

LiveHelperChat

livehelperchat

affected

Version	Status	Constraints
`< 4.84v`	affected	—

No data.

Vendor Product Confidence Versions

Livehelperchat

100%

Version	Status	Scheme	Platform
`[0,4.84v)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor’s patch or upgrade to a version where the missing department‑boundary check is fixed.
Revoke or restrict the lhchat/use permission for REST users until a fix is available, limiting the ability to perform chat updates across departments.
Prevent the operation_admin field from being echoed into operator‑side JavaScript by sanitizing its output or disabling it in configuration.

Generated by OpenCVE AI on May 14, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/LiveHelperChat/livehelperchat/security/advisories/GHSA-hjqq-qmvj-9whm

History

Thu, 14 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Livehelperchat Livehelperchat livehelperchat
Vendors & Products		Livehelperchat Livehelperchat livehelperchat

Thu, 14 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 14 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Live Helper Chat is an open-source application that enables live support websites. In 4.84v, the Live Helper Chat REST API chat update endpoint allows a REST user with lhchat/use to update a chat in a department they cannot read. The endpoint accepts arbitrary chat object fields, so the user can change the chat hash and status and then access or tamper with the chat through visitor/widget paths. The same write primitive can set operation_admin, which is later emitted as operator-side JavaScript.
Title		Live Helper Chat: REST API chat update accepts arbitrary chat fields across department boundaries
Weaknesses		CWE-863
References		https://github.com/LiveHelperChat/livehelperchat/security/advisories/GHSA-hjqq-qmvj-9whm
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Livehelperchat Livehelperchat

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-14T18:46:52.064Z

Updated: 2026-05-14T19:42:29.313Z

Reserved: 2026-05-07T15:30:10.875Z

Link: CVE-2026-44633

Vulnrichment

Updated: 2026-05-14T19:42:16.046Z

NVD

Status : Deferred

Published: 2026-05-14T19:16:38.293

Modified: 2026-05-15T14:44:49.877

Link: CVE-2026-44633

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T21:30:12Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object