Live Helper Chat: REST API chat update accepts arbitrary chat...

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Description

Live Helper Chat is an open-source application that enables live support websites. In 4.84v, the Live Helper Chat REST API chat update endpoint allows a REST user with lhchat/use to update a chat in a department they cannot read. The endpoint accepts arbitrary chat object fields, so the user can change the chat hash and status and then access or tamper with the chat through visitor/widget paths. The same write primitive can set operation_admin, which is later emitted as operator-side JavaScript.

Basic Information

ID CVE-2026-44633

Source GitHub_M

Published May 14, 2026 at 18:46

Modified May 14, 2026 at 19:42

Affected Product

Vendor LiveHelperChat

Product livehelperchat

Version < 4.84v

Affected Versions LiveHelperChat livehelperchat < 4.84v

CWE Classification

CWE-863

References

github.com /LiveHelperChat/livehelperchat/security/advisories/GHSA-hjqq-qmvj-9whm

{
    "lastseen": "",
    "description": "Live Helper Chat is an open-source application that enables live support websites. In 4.84v, the Live Helper Chat REST API chat update endpoint allows a REST user with lhchat/use to update a chat in a department they cannot read. The endpoint accepts arbitrary chat object fields, so the user can change the chat hash and status and then access or tamper with the chat through visitor/widget paths. The same write primitive can set operation_admin, which is later emitted as operator-side JavaScript.",
    "published": "2026-05-14T18:46:52.064Z",
    "modified": "2026-05-14T19:42:29.313Z",
    "type": "cve",
    "title": "Live Helper Chat: REST API chat update accepts arbitrary chat fields across department boundaries",
    "source": "GitHub_M",
    "references": "https://github.com/LiveHelperChat/livehelperchat/security/advisories/GHSA-hjqq-qmvj-9whm",
    "id": "CVE-2026-44633",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "LiveHelperChat livehelperchat < 4.84v",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "livehelperchat",
    "version": "< 4.84v",
    "vendor": "LiveHelperChat",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Live Helper Chat: REST API chat update accepts arbitrary chat fields across department boundaries_CVE-2026-44633