CVE-2026-44706— Chatwoot: SQL Injection in Conversation/Contact Filter API via Custom Attribute Values
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44706
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Chatwoot: SQL Injection in Conversation/Contact Filter API via Custom Attribute Values
Source: NVD (National Vulnerability Database)
Vulnerability Description
Chatwoot is a customer engagement suite. From 2.2.0 to before 4.11.2, a SQL injection vulnerability exists in the conversation and contact filter APIs. When filtering by a custom attribute of type date or number using the is_greater_than or is_less_than operators, user-supplied values in the values field of the filter payload are interpolated directly into the SQL query without parameterization. Any authenticated user with access to an account can exploit this to execute arbitrary SQL via time-based blind injection. This affects /api/v1/accounts/{account_id}/conversations/filter, /api/v1/accounts/{account_id}/contacts/filter, and /api/v1/accounts/{account_id}/custom_attribute_definitions. This vulnerability is fixed in 4.11.2.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-44706
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44706
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-44706 (1)
IV. Related Vulnerabilities
Same product: chatwoot
- CVE-2026-44707
Chatwoot: Pre-Account Takeover via OAuth on Unconfirmed Acco - CVE-2026-5205
chatwoot Webhook API trigger.rb Trigger server-side request - CVE-2026-4990
chatwoot Signup Endpoint login improper authorization - CVE-2025-12246
chatwoot Admin IframeLoader.vue cross site scripting - CVE-2025-12245
chatwoot Widget IFrameHelper.js initPostMessageCommunication
Same vendor: chatwoot
- CVE-2026-44707
Chatwoot: Pre-Account Takeover via OAuth on Unconfirmed Acco - CVE-2024-0640
Stored XSS in chatwoot/chatwoot - CVE-2025-21628
Chatwoot has a Blind SQL-injection in Conversation and Conta - CVE-2021-3740
Session Fixation in chatwoot/chatwoot - CVE-2021-3742
Server-Side Request Forgery (SSRF) in chatwoot/chatwoot
Same weakness: CWE-89
- CVE-2026-9607
itsourcecode Courier Management System parcel_list.php sql i - CVE-2026-9606
itsourcecode Courier Management System manage_user.php sql i - CVE-2026-9584
code-projects Project Management System Login chk.php sql in - CVE-2026-9575
itsourcecode Student Transcript Processing System index.php - CVE-2026-9574
itsourcecode Student Transcript Processing System trans.php
V. Comments for CVE-2026-44706
No comments yet