CVE-2026-44633
Live Helper Chat: REST API chat update accepts arbitrary chat fields across department boundaries
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th
Live Helper Chat is an open-source application that enables live support websites. In 4.84v, the Live Helper Chat REST API chat update endpoint allows a REST user with lhchat/use to update a chat in a department they cannot read. The endpoint accepts arbitrary chat object fields, so the user can change the chat hash and status and then access or tamper with the chat through visitor/widget paths. The same write primitive can set operation_admin, which is later emitted as operator-side JavaScript.
| CWE | CWE-863 |
| Vendor | livehelperchat |
| Product | livehelperchat |
| Published | May 14, 2026 |
| Last Updated | May 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for livehelperchat livehelperchat
Be the first to know when new high vulnerabilities affecting livehelperchat livehelperchat are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
LiveHelperChat / livehelperchat
< 4.84v