CVE-2026-4990 is an improper authorization vulnerability affecting the chatwoot customer engagement platform, specifically versions 4.11.0 and 4.11.1. The flaw exists in the Signup Endpoint located at /app/login, where the signupEnabled parameter can be manipulated by an attacker to the value 'true'. This manipulation bypasses intended authorization checks, allowing remote attackers to perform unauthorized actions without requiring authentication or user interaction. The vulnerability arises from insufficient validation of the signupEnabled argument, which controls whether signup functionality is enabled. Exploiting this flaw could allow attackers to create unauthorized accounts or access restricted signup-related functionality, potentially leading to unauthorized access or privilege escalation within the system. The vulnerability has been publicly disclosed, but no active exploitation has been reported. The vendor has not issued a patch or responded to the disclosure, increasing the urgency for organizations to implement mitigations. The CVSS 4.0 base score of 6.9 reflects a medium severity level, with network attack vector, low complexity, no privileges or user interaction required, and limited impacts on confidentiality, integrity, and availability. This vulnerability highlights the importance of robust authorization checks on critical endpoints, especially those related to user registration and authentication.

The improper authorization vulnerability in chatwoot can allow remote attackers to bypass signup restrictions and potentially create unauthorized accounts or access signup-related features. This could lead to unauthorized access to the platform, enabling attackers to impersonate users, escalate privileges, or manipulate customer engagement data. While the direct impact on confidentiality, integrity, and availability is limited, unauthorized account creation can facilitate further attacks such as social engineering, data harvesting, or lateral movement within an organization’s infrastructure. Organizations relying on chatwoot for customer communication and support may face reputational damage, data privacy concerns, and operational disruptions if attackers exploit this vulnerability. The lack of vendor response and patch availability increases the risk exposure period. The vulnerability’s ease of exploitation and remote attack vector make it a significant concern for organizations using affected versions, especially those with sensitive customer data or regulatory compliance requirements.

1. Immediately upgrade chatwoot to a version beyond 4.11.1 once a patch is released by the vendor. 2. Until an official patch is available, implement network-level access controls to restrict access to the /app/login endpoint, allowing only trusted IP addresses or VPN connections. 3. Employ web application firewalls (WAF) with custom rules to detect and block requests manipulating the signupEnabled parameter or unusual signup activity. 4. Monitor application logs for suspicious signup attempts or anomalous parameter values to detect potential exploitation attempts early. 5. Disable signup functionality if not required or restrict it through configuration to trusted users only. 6. Conduct a thorough review of authorization logic in custom deployments or integrations to ensure no similar flaws exist. 7. Educate security and development teams about the risks of improper authorization and the importance of validating all input parameters controlling access. 8. Prepare incident response plans to quickly address any exploitation attempts, including account review and revocation procedures.