HIGHCVE-2026-44633Published 2026-05-14Modified 2026-05-14CNA GitHub_M

CVE-2026-44633: Live Helper Chat: REST API chat update accepts arbitrary chat fields across department boundaries

Live Helper Chat is an open-source application that enables live support websites. In 4.84v, the Live Helper Chat REST API chat update endpoint allows a REST user with lhchat/use to update a chat in a department they cannot read. The endpoint accepts arbitrary chat object fields, so the user can change the chat hash and status and then access or tamper with the chat through visitor/widget paths. The same write primitive can set operation_admin, which is later emitted as operator-side JavaScript.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

LiveHelperChat / livehelperchat
< 4.84v

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

https://github.com/LiveHelperChat/livehelperchat/security/advisories/GHSA-hjqq-qmvj-9whm

Metrics