Chatwoot, a customer engagement platform, contains a SQL injection flaw in its conversation and contact filter APIs. The issue occurs when filtering by a custom attribute of type date or number using the is_greater_than or is_less_than operators; unsanitized values supplied by the user are concatenated directly into the SQL query. An attacker can exploit this by inserting time‑based blind injection payloads to execute arbitrary SQL statements, potentially compromising data integrity and confidentiality within the database.

The affected products are all installations of Chatwoot from version 2.2.0 up to, but not including, version 4.11.2. The flaw is present in the endpoints /api/v1/accounts/{account_id}/conversations/filter, /api/v1/accounts/{account_id}/contacts/filter, and /api/v1/accounts/{account_id}/custom_attribute_definitions, and any authenticated user with account access can exploit it.

The CVSS score of 8.5 indicates high severity. While the EPSS score is not available, the lack of a KEV listing suggests no confirmed public exploitation yet; however, the vulnerability is sufficient for on‑premise or self‑hosted deployments where an attacker can acquire account credentials. The required preconditions are: authenticated access to a Chatwoot account and use of the vulnerable filter APIs. The attack vector is network‑based, relying on an attacker’s ability to send crafted API requests to the target instance.