CVE-2026-44707

Name of the Vulnerable Software and Affected Versions Chatwoot versions 2.14.0 through 4.12.x

Description A Pre-Account Takeover (Pre-ATO) issue exists in the authentication flow. Because email confirmation is not enforced before an account becomes usable, an attacker can pre-register an email address they do not own and set a password. If the legitimate owner of that email later signs in using Google OAuth or another OmniAuth provider, the OAuth flow silently confirms the existing account without invalidating the attacker's pre-set credentials. This allows the attacker to log in with their chosen password and access sensitive data entered by the victim, such as personally identifiable information (PII) and API keys.

Recommendations Update to version 4.13.0.