CVE-2026-4990 Overview
A security vulnerability has been identified in Chatwoot up to version 4.11.1 affecting the /app/login component of the Signup Endpoint. The vulnerability allows attackers to manipulate the signupEnabled argument with a value of true, leading to improper authorization. This flaw can be exploited remotely without authentication, potentially allowing unauthorized users to bypass signup restrictions and gain access to the application.
Critical Impact
Remote attackers can bypass authorization controls to enable signups and potentially gain unauthorized access to Chatwoot instances where registration should be disabled.
Affected Products
- Chatwoot versions up to and including 4.11.1
- Chatwoot Signup Endpoint (/app/login)
- Self-hosted Chatwoot deployments with signup controls
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-4990 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-4990
Vulnerability Analysis
This vulnerability is classified as CWE-266 (Incorrect Privilege Assignment), indicating a fundamental flaw in how the application manages authorization controls for user signup functionality. The affected component is the Signup Endpoint located at /app/login, which fails to properly validate and enforce authorization settings.
The vulnerability allows an unauthenticated remote attacker to manipulate the signupEnabled parameter, effectively bypassing administrative controls designed to restrict new user registrations. This is particularly concerning for organizations that have intentionally disabled public signups to maintain a controlled user base.
The exploit has been publicly disclosed, increasing the risk of active exploitation attempts against vulnerable Chatwoot instances. Despite early notification, the vendor has not responded to disclosure attempts, leaving users without an official patch timeline.
Root Cause
The root cause of this vulnerability lies in improper authorization checking within the Signup Endpoint handler. The application fails to properly validate server-side settings when processing signup requests, allowing client-side parameter manipulation to override administrative configurations. The signupEnabled argument appears to be trusted from user input without proper server-side validation against the actual application configuration.
Attack Vector
The attack can be executed remotely over the network without requiring any authentication or user interaction. An attacker can craft a malicious request to the /app/login endpoint with the signupEnabled parameter set to true. This manipulation tricks the application into allowing signups even when the feature has been administratively disabled.
The attack flow involves intercepting or crafting HTTP requests to the signup endpoint and including the manipulated authorization parameter. Since this vulnerability affects the login/signup functionality, it represents an authentication bypass that could lead to unauthorized account creation and subsequent access to the platform.
Detection Methods for CVE-2026-4990
Indicators of Compromise
- Unexpected user account registrations when signup functionality should be disabled
- HTTP requests to /app/login containing signupEnabled=true parameter manipulation
- Unusual spikes in account creation activity from unknown IP addresses
- Log entries showing signup attempts during periods when registration was administratively disabled
Detection Strategies
- Monitor web application logs for requests to /app/login with signupEnabled parameter modifications
- Implement Web Application Firewall (WAF) rules to detect and block parameter tampering attempts
- Configure alerts for new user account creations, especially when signup is supposed to be disabled
- Review authentication logs for accounts created through potentially malicious signup attempts
Monitoring Recommendations
- Enable detailed logging for all authentication and account creation events in Chatwoot
- Set up anomaly detection for signup activity patterns that deviate from baseline behavior
- Monitor network traffic for suspicious requests targeting the Signup Endpoint
- Implement regular audits of user accounts to identify any unauthorized registrations
How to Mitigate CVE-2026-4990
Immediate Actions Required
- Upgrade Chatwoot to a version newer than 4.11.1 when a patched version becomes available
- Implement network-level access controls to restrict access to the Chatwoot instance
- Review existing user accounts for any unauthorized registrations that may have exploited this vulnerability
- Consider placing the Chatwoot instance behind a reverse proxy with additional access controls
Patch Information
No official patch has been released by the vendor at the time of this publication. The vendor was contacted early about this disclosure but did not respond. Organizations should monitor the official Chatwoot security advisories and GitHub repository for updates. Additional technical details can be found at VulDB Entry #353877 and VulDB CTI ID #353877.
Workarounds
- Implement WAF rules to block requests containing signupEnabled parameter manipulation at the network edge
- Use reverse proxy configuration to strip or sanitize the signupEnabled parameter from incoming requests before they reach the application
- Restrict network access to the Chatwoot instance using IP allowlisting or VPN requirements
- Consider temporarily disabling public access to the signup endpoint until a patch is available
# Example nginx configuration to block parameter tampering
# Add to your nginx server block protecting Chatwoot
location /app/login {
# Block requests with signupEnabled parameter manipulation
if ($query_string ~* "signupEnabled=true") {
return 403;
}
# Block POST body manipulation (requires ngx_http_lua_module)
# proxy_pass to your Chatwoot backend
proxy_pass http://chatwoot_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
