Omission of Security-relevant Information in chatwoot/chatwoot


Reported on

Nov 19th 2021

I'll explain it briefly: A contact is created with the email address "" and we are writing about sensitive information. userIdentifer is required to be validated with hmac.

Now a human, on the other side of the world, comes into the chat and is asked by the bot for his email address during the chat. Without any legitimation, he simply enters "" as his email and chats with our employee. For our employee it seems as if he is writing with the real "customer1".

If the real "customer1" now writes with our agent, the fake "customer1" can read all entries just because he entered the e-mail address. Maybe I have a thinking error? But I have just been able to test it that way in various scenarios in sandbox environments. I use an account in the Chatwoot hosted environment for testing.

We are processing your report and will contact the chatwoot team within 24 hours. 2 years ago
We have contacted a member of the chatwoot team and are waiting to hear back 2 years ago
Sojan Jose validated this vulnerability 2 years ago
noezdev has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sojan Jose marked this as fixed in v1.22.1 with commit 791d90 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
a year ago


Never received a reward.

to join this conversation