Improper Authorization lead a user add an arbitrary agent into Team in chatwoot/chatwoot


Reported on

Aug 15th 2022


A Vulnerability in edit team function lead an user add another user via ID to Team, alternatively know the email of every user in Chatwoot

#Step to reproduce

  • login to the app -navigate to the Team setting:{id}/settings/teams/list -Create new or edit team -Add agent -> intercept request -modify userid, the response is the email of this user -add succesfullly

Proof of Concept

request body: {"user_ids":[68250]}
method PATCH



-add arbitrary users via ID to Team -know every user email in chatwoot

We are processing your report and will contact the chatwoot team within 24 hours. a month ago
We have contacted a member of the chatwoot team and are waiting to hear back a month ago
Sojan Jose validated this vulnerability a month ago
4rth4s has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the chatwoot team. We will try again in 7 days. a month ago
We have sent a second fix follow up to the chatwoot team. We will try again in 10 days. 25 days ago
Tejaswini Chile confirmed that a fix has been merged on 329e8c 18 days ago
Tejaswini Chile has been awarded the fix bounty
to join this conversation