We welcome responsible disclosure from security researchers. This document explains how to report vulnerabilities and what we consider in-scope.
- Submit here:
https://github.com/chatwoot/chatwoot/security/advisories/new - For process questions only:
[email protected]
Important: Do not create public GitHub issues or post vulnerability details on social media. Use the GitHub advisories form.
| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
We provide security fixes for the latest release only.
Only test against instances you own or have explicit permission to test. Do not target production instances you do not control.
We are primarily interested in issues that lead to compromise of confidentiality, integrity, or availability. Typical examples include:
- Remote Command Execution (RCE)
- SQL injection
- Authentication bypass
- Privilege escalation
See our triage guide for more details: https://www.chatwoot.com/docs/contributing-guide/security-reports
The following are usually not valid reports unless accompanied by clear exploitability or a practical attack path:
- Missing HTTP security headers (unless chaining to an exploit)
- Missing/incomplete SPF/DKIM
- Automated scanner output without manual validation
- Self-inflicted user attacks
- Denial of Service (DoS) without demonstrated impact
- Brute force attempts without demonstrated escalation
- DNSSEC issues (unless they lead to exploitable impact)
If in doubt, submit a report — we prefer to evaluate borderline cases ourselves.
Please include as much of the following as possible to help us reproduce and fix the issue quickly:
- Title (one line)
- Summary — short description of the issue and impact
- Affected versions / configuration
- Reproduction steps / PoC — minimal, reproducible steps (curl commands, scripts or exploit code)
- Impact — what an attacker can do
- Logs/response data — where applicable (sanitized if sensitive)
- Mitigation suggestions (optional)
- Contact — GitHub handle or email for follow-up
Steps to reproduce:
1. POST /api/v1/widgets with body: {"q":"1' OR (SELECT 1 FROM users WHERE id=1 AND substr(email,1,1)='a')-- -"}
2. Observe timing-based responses indicating injection.
PoC:
[attach script or curl commands]
Impact:
An attacker could extract data from the database.
Contact:
- github-username (or [email protected])
- We will acknowledge receipt via GitHub advisories.
- We may ask for additional details or a test instance to validate the issue.
- We will triage and fix confirmed issues as appropriate.
- Valid reports may be acknowledged in release notes or our security acknowledgements page. Any reward programs are handled case-by-case.
- Test only on instances you control or have permission to test.
- Avoid destructive or irreversible tests on shared systems.
- Prefer safe, non-destructive PoCs where possible.
- Security advisory form:
https://github.com/chatwoot/chatwoot/security/advisories/new - Triage guide:
https://www.chatwoot.com/docs/contributing-guide/security-reports - Contact:
[email protected]
Thank you for helping keep Chatwoot secure.