Improper Authorization lead a user add an arbitrary agent into Team in chatwoot/chatwoot


Reported on

Aug 15th 2022


A Vulnerability in edit team function lead an user add another user via ID to Team, alternatively know the email of every user in Chatwoot

#Step to reproduce

  • login to the app -navigate to the Team setting:{id}/settings/teams/list -Create new or edit team -Add agent -> intercept request -modify userid, the response is the email of this user -add succesfullly

Proof of Concept

request body: {"user_ids":[68250]}
method PATCH



-add arbitrary users via ID to Team -know every user email in chatwoot

We are processing your report and will contact the chatwoot team within 24 hours. a year ago
We have contacted a member of the chatwoot team and are waiting to hear back a year ago
Sojan Jose validated this vulnerability a year ago
4rth4s has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the chatwoot team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the chatwoot team. We will try again in 10 days. a year ago
Tejaswini Chile marked this as fixed in 2.8 with commit 329e8c a year ago
Tejaswini Chile has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation