Description
A security vulnerability has been detected in chatwoot up to 4.11.1. The affected element is an unknown function of the file /app/login of the component Signup Endpoint. Such manipulation of the argument signupEnabled with the input true leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Improper Authorization
Action: Patch
AI Analysis

Impact

The flaw in chatwoot up to version 4.11.1 lies in the signup endpoint at /app/login. An attacker may manipulate the signupEnabled parameter, setting it to true, which bypasses existing authorization checks and allows the creation of user accounts or elevation of privileges. The weakness corresponds to improper authentication and authorization controls, labeled CWE-266 and CWE-285.

Affected Systems

Chatwoot, versions up to 4.11.1, is affected. Any instance running 4.11.1 or earlier is vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity level. No EPSS data is provided, so the exact likelihood of exploitation is unknown; however, the vulnerability is publicly disclosed and may already be in use, and it is not listed in the KEV catalog. Attackers can exploit the flaw remotely by sending crafted requests to the signup endpoint, potentially compromising confidentiality, integrity, and availability of the affected system.

Generated by OpenCVE AI on March 28, 2026 at 05:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor patch or update as soon as it becomes available.
  • Disable the signupEnabled feature or configure it to false if the feature is unnecessary.
  • Limit access to the /app/login endpoint to trusted IP ranges via firewall or web server rules.
  • Deploy or configure a web application firewall to detect and block suspicious requests to the signup endpoint.

Generated by OpenCVE AI on March 28, 2026 at 05:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in chatwoot up to 4.11.1. The affected element is an unknown function of the file /app/login of the component Signup Endpoint. Such manipulation of the argument signupEnabled with the input true leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title chatwoot Signup Endpoint login improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-27T22:10:16.728Z

Reserved: 2026-03-27T13:47:41.140Z

Link: CVE-2026-4990

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T22:16:23.753

Modified: 2026-03-27T23:17:19.180

Link: CVE-2026-4990

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:29:37Z

Weaknesses