Session Fixation in chatwoot/chatwoot


Reported on

Jul 5th 2021

✍️ Description

The application is vulnerable to Session Fixation vulnerability even after a user changes its password the old sessions on other devices persist.

🕵️‍♂️ Proof of Concept

  1. open chatwoot and login to your account on multiple browsers
  2. change the password of the account on one of them and reload the other
  3. due to insufficient session expiration, we will not be logged out of the account in the other browser.

💥 Impact

The session will not expire even after changing the password

We have contacted a member of the chatwoot team and are waiting to hear back a year ago
a year ago


actually this feature doesn't work.

Sojan Jose validated this vulnerability a year ago
Ajmal Aboobacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sojan Jose
a year ago

Maintainer will fix the change

Jamie Slome
a year ago


@sojan-official - would it be possible to confirm the patch commit SHA that fixed this?

We can then go ahead and publish the CVE for you.

Sojan Jose confirmed that a fix has been merged on 6fdd4a a month ago
The fix bounty has been dropped
to join this conversation