CVE-2026-5205 is a server-side request forgery vulnerability identified in chatwoot, an open-source customer engagement platform, specifically affecting versions 4.11.0 through 4.11.2. The vulnerability resides in the Webhooks::Trigger function located in lib/webhooks/trigger.rb within the Webhook API component. The flaw arises due to insufficient validation or sanitization of the URL parameter passed to this function, allowing an attacker to manipulate the URL argument to induce the server to make arbitrary HTTP requests. SSRF vulnerabilities enable attackers to coerce the vulnerable server to send requests to internal or external systems, potentially bypassing firewall restrictions and accessing sensitive internal services or metadata endpoints. The attack vector is remote and does not require authentication or user interaction, increasing the risk of exploitation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low attack complexity, no privileges or user interaction needed, and partial impacts on confidentiality, integrity, and availability. Despite the availability of public exploits, there are no known reports of active exploitation in the wild. The vendor has not responded to the disclosure, and no official patches have been released, leaving affected deployments exposed. This vulnerability is particularly concerning for organizations that rely on chatwoot's webhook functionality to integrate with other services, as SSRF can be leveraged for reconnaissance, data exfiltration, or pivoting within internal networks.

The primary impact of CVE-2026-5205 is the potential for attackers to perform unauthorized internal or external HTTP requests from the vulnerable chatwoot server. This can lead to several risks including unauthorized access to internal systems, exposure of sensitive data, bypassing network segmentation, and facilitating further attacks such as remote code execution or data exfiltration if combined with other vulnerabilities. The SSRF can undermine confidentiality by accessing internal endpoints or metadata services, integrity by potentially manipulating internal APIs, and availability if the attacker targets internal resources with denial-of-service requests. Since the vulnerability requires no authentication or user interaction, any exposed chatwoot instance running affected versions is at risk. Organizations using chatwoot in sensitive environments or with critical integrations may face significant operational and reputational damage if exploited. The lack of vendor response and patches prolongs exposure, increasing the window for potential exploitation.

1. Immediate mitigation should include restricting network access from the chatwoot server to only trusted endpoints, using firewall rules or network segmentation to limit outbound HTTP requests. 2. Implement input validation and sanitization on the URL parameter used in the Webhooks::Trigger function to ensure only allowed domains or IP ranges can be requested. 3. Monitor webhook usage and server logs for unusual or unexpected outbound requests that could indicate exploitation attempts. 4. If possible, disable webhook functionality temporarily until a patch or official fix is available. 5. Employ web application firewalls (WAFs) with custom rules to detect and block SSRF attack patterns targeting chatwoot endpoints. 6. Keep chatwoot installations updated and monitor vendor communications for patches or advisories. 7. Conduct internal security assessments and penetration testing to identify any exploitation or lateral movement stemming from this vulnerability. 8. Consider deploying network-level SSRF protections such as egress filtering and DNS request monitoring to detect malicious activity.