Dishantchavda

**Name of the Vulnerable Software and Affected Versions** Chatwoot versions 2.14.0 through 4.12.x **Description** A Pre-Account Takeover (Pre-ATO) issue exists in the authentication flow. Because email confirmation is not enforced before an account becomes usable, an attacker can pre-register an email address they do not own and set a password. If the legitimate owner of that email later signs in using Google OAuth or another OmniAuth provider, the OAuth flow silently confirms the existing account without invalidating the attacker's pre-set credentials. This allows the attacker to log in with their chosen password and access sensitive data entered by the victim, such as personally identifiable information (PII) and API keys. **Recommendations** Update to version 4.13.0.