Description
Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover (Pre-ATO) vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email address they did not own and set a password. If the legitimate owner of that email later signed in to Chatwoot using Google OAuth (or another OmniAuth provider), the OAuth flow silently confirmed the existing account without invalidating the attacker's pre-set credentials. The attacker could then continue to log in with the password they had originally chosen and access any data the victim subsequently entered into the dashboard, including PII, API keys, and other sensitive information. This vulnerability is fixed in 4.13.0.
Published: 2026-05-26
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chatwoot’s authentication flow allowed an attacker who had pre‑registered an email address without confirming it to set a password. When the legitimate owner later signed in with an OmniAuth provider such as Google, the OAuth flow silently confirmed the account without invalidating the attacker’s pre‑set credentials. The attacker could then log in with the original password and access any data the victim entered, including PII, API keys, and other sensitive information. This is a pre‑account takeover vulnerability that effectively bypasses authentication and relies on CWE‑283 and CWE‑287 weaknesses.

Affected Systems

The vulnerability affects the Chatwoot customer‑engagement suite from version 2.14.0 up to, but not including, 4.13.0. All releases in that range that use the default authentication flow are susceptible.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, so the current exploit trend is unclear. The likely attack vector is the public account‑registration interface; an attacker only needs the ability to register an email address and set a password. Once the legitimate owner authenticates via OAuth, the account is automatically confirmed, allowing the attacker to retain its password and access the account. This makes exploitation realistic and straightforward for an adversary with access to a web browser and an email address they control.

Generated by OpenCVE AI on May 26, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chatwoot 4.13.0 or later to apply the fix that enforces email confirmation before allowing account activation via OAuth.
  • Ensure the email confirmation step is mandatory before a user can log in, whether using standard authentication or an OmniAuth provider.
  • If an upgrade cannot be performed immediately, disable or restrict OmniAuth (OAuth) login for accounts that have not yet completed email confirmation.

Generated by OpenCVE AI on May 26, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Chatwoot
Chatwoot chatwoot
Vendors & Products Chatwoot
Chatwoot chatwoot

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover (Pre-ATO) vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email address they did not own and set a password. If the legitimate owner of that email later signed in to Chatwoot using Google OAuth (or another OmniAuth provider), the OAuth flow silently confirmed the existing account without invalidating the attacker's pre-set credentials. The attacker could then continue to log in with the password they had originally chosen and access any data the victim subsequently entered into the dashboard, including PII, API keys, and other sensitive information. This vulnerability is fixed in 4.13.0.
Title Chatwoot: Pre-Account Takeover via OAuth on Unconfirmed Accounts
Weaknesses CWE-283
CWE-287
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Chatwoot Chatwoot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:23:05.939Z

Reserved: 2026-05-07T17:07:09.317Z

Link: CVE-2026-44707

cve-icon Vulnrichment

Updated: 2026-05-27T17:23:01.315Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T18:16:50.743

Modified: 2026-06-17T10:51:15.293

Link: CVE-2026-44707

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T20:00:12Z

Weaknesses