CVE-2026-44707
CVE-2026-44707 is a medium-severity vulnerability with a CVSS 3.x base score of 6.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-283.
Key facts
- Severity: Medium (CVSS 3.x base score 6.8)
- EPSS exploit prediction: 0% (26th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-31916
- Weakness: CWE-283
- Published:
- Last modified:
Description
Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover (Pre-ATO) vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email address they did not own and set a password. If the legitimate owner of that email later signed in to Chatwoot using Google OAuth (or another OmniAuth provider), the OAuth flow silently confirmed the existing account without invalidating the attacker's pre-set credentials. The attacker could then continue to log in with the password they had originally chosen and access any data the victim subsequently entered into the dashboard, including PII, API keys, and other sensitive information. This vulnerability is fixed in 4.13.0.
Frequently asked questions
- What is CVE-2026-44707?
- Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover (Pre-ATO) vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email address they did not own and set a password. If the legitimate owner of that email later signed in to Chatwoot using Google OAuth (or another OmniAuth provider), the OAuth flow silently confirmed the existing account without invalidating the attacker's pre-set credentials. The attacker could then continue to log in with the password they had originally chosen and access any data the victim subsequently entered into the dashboard, including PII, API keys, and other sensitive information. This vulnerability is fixed in 4.13.0.
- How severe is CVE-2026-44707?
- CVE-2026-44707 has a CVSS 3.x base score of 6.8, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2026-44707 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (26th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-44707?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-44707 have an EU (EUVD) identifier?
- Yes. CVE-2026-44707 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-31916.
- When was CVE-2026-44707 published?
- CVE-2026-44707 was published on 2026-05-26 and last updated on 2026-06-17.
References
- https://github.com/chatwoot/chatwoot/commit/211fb1102dd208daee414cff1b8d71ea27ac5ebf
- https://github.com/chatwoot/chatwoot/pull/13878
- https://github.com/chatwoot/chatwoot/security/advisories/GHSA-8qxm-4p4p-cfhm
Other CWE-283 vulnerabilities
- CVE-2026-26016 — High (CVSS 8.1): Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version…
- CVE-2021-24501 — High (CVSS 8.1): The Workreap WordPress theme before 2.2.2 had several AJAX actions missing authorization checks to verify that a user…
- CVE-2025-43882 — High (CVSS 7.8): Dell ThinOS 10, versions prior to 2508_10.0127, contains an Unverified Ownership vulnerability. A local low-privileged…
- CVE-2026-4269 — High (CVSS 7.5): A missing S3 ownership verification in the Bedrock AgentCore Starter Toolkit before version v0.1.13 may allow a remote…
- CVE-2026-29788 — High (CVSS 7.5): TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports,…
- CVE-2025-47940 — High (CVSS 7.2): TYPO3 is an open source, PHP based web content management system. Starting in version 10.0.0 and prior to versions…