{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5205", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-31T08:48:35.949Z", "datePublished": "2026-03-31T16:30:11.076Z", "dateUpdated": "2026-03-31T16:30:11.076Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-31T16:30:11.076Z"}, "title": "chatwoot Webhook API trigger.rb Trigger server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "n/a", "product": "chatwoot", "versions": [{"version": "4.11.0", "status": "affected"}, {"version": "4.11.1", "status": "affected"}, {"version": "4.11.2", "status": "affected"}], "modules": ["Webhook API"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in chatwoot up to 4.11.2. Affected by this vulnerability is the function Webhooks::Trigger in the library lib/webhooks/trigger.rb of the component Webhook API. Such manipulation of the argument url leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-31T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-31T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-31T10:53:40.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Ghufran Khan (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/354333", "name": "VDB-354333 | chatwoot Webhook API trigger.rb Trigger server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354333/cti", "name": "VDB-354333 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780305", "name": "Submit #780305 | Chatwoot 4.11.2 Server-Side Request Forgery", "tags": ["third-party-advisory"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in chatwoot up to 4.11.2. Affected by this vulnerability is the function Webhooks::Trigger in the library lib/webhooks/trigger.rb of the component Webhook API. Such manipulation of the argument url leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-5205", "lastModified": "2026-04-01T14:24:02.583", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-31T17:16:33.090", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/780305"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354333"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354333/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.11.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.11.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.11.2"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "chatwoot", "source": "cna", "vendor": "n/a"}, "product": "chatwoot", "vendor": "chatwoot"}], "analysis": {"en": {"generated_at": "2026-03-31T19:24:04.009812+00:00", "value": {"mitigation_remediation": ["Upgrade Chatwoot to the latest release that includes the SSRF fix", "Restrict outbound traffic from the webhook service by applying firewall rules or network segmentation", "Validate webhook URLs against a strict whitelist to allow only trusted domains", "Monitor outbound HTTP requests originating from the webhook component for abnormal activity"], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "Any Chatwoot deployment running version 4.11.2 or earlier is impacted. The vulnerability exists in the Webhook API component, specifically in the Trigger functionality. No additional vendor product versions are listed, so all instances of Chatwoot within the affected version range should be considered vulnerable.", "description_and_impact": "A server\u2011side request forgery vulnerability was discovered in the Chatwoot customer engagement platform. The flaw resides in the Webhooks::Trigger method within the lib/webhooks/trigger.rb file, where user\u2010supplied URLs are passed directly to outbound HTTP requests without adequate validation. By crafting a malicious payload to the webhook API, an attacker can cause the Chatwoot server to send arbitrary HTTP requests to internal or otherwise inaccessible resources, potentially enabling data exfiltration, internal network reconnaissance, or serving as a pivot for further attacks. The weakness is typical of input that controls outbound network traffic.", "risk_and_exploitability": "The CVSS base score of 5.3 categorizes the risk level as moderate, and the remote nature of the webhook endpoint means that the flaw can be triggered from any system that can reach the API. Public exploits are available, indicating that adversaries may already be leveraging the flaw. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog, but the combination of a remote attack vector, lack of mandatory authentication for the endpoint, and known exploit code suggests a non\u2011negligible likelihood of exploitation."}}}}, "created": "2026-03-31T19:53:55.009596+00:00", "updated": "2026-03-31T20:37:52.609717+00:00", "vendors": ["chatwoot", "chatwoot$PRODUCT$chatwoot"]}