CVE-2026-27954

Name of the Vulnerable Software and Affected Versions Live Helper Chat versions up to and including 4.52

Description Live Helper Chat is an open-source application used for live support websites. The application allows operators to perform actions on chats in departments they are not assigned to due to missing access checks. Specifically, the holdaction.php, blockuser.php, and transferchat.php endpoints load chat objects by ID without calling erLhcoreClassChat::hasAccessToRead(). This allows operators with the holduse, allowblockusers, and allowtransfer role permissions to hold, block users from, or transfer chats in departments they are not authorized to access. This constitutes a horizontal privilege escalation within an organization.

Recommendations Update to a version of Live Helper Chat beyond 4.52.