Live Helper Chat REST API Vulnerability Allows Unauthorized Chat Tampering
A critical vulnerability, tracked as CVE-2026-44633, has been identified in Live Helper Chat, an open-source application for live website support. According to the National Vulnerability Database, versions up to 4.84 are affected. The flaw resides in the REST API’s chat update endpoint, which permits a REST user with lhchat/use permissions to modify chats in departments they lack read access to. This bypass allows an attacker to manipulate chat hashes and statuses, subsequently gaining unauthorized access or tampering with chats via visitor/widget paths.
The National Vulnerability Database further explains that this write primitive can also set the operation_admin flag. This flag is later emitted as operator-side JavaScript, indicating a potential for client-side code execution or further privilege escalation within the application. With a CVSS score of 8.1 (HIGH), this vulnerability presents a significant risk for organizations utilizing Live Helper Chat, as it could lead to sensitive information disclosure, chat manipulation, and potentially broader system compromise.
Attackers can exploit this by leveraging existing, albeit limited, REST API permissions to pivot into unauthorized administrative control or data access. The attacker’s calculus here is clear: exploit weak authorization to gain control over communication channels, which are often rich in sensitive customer data or operational intelligence. Defenders need to understand that even seemingly low-privilege API access can be weaponized if authorization checks are not rigorously enforced across all endpoints.
What This Means For You
- If your organization uses Live Helper Chat, immediately assess your version and patch to a secure release beyond 4.84. Prioritize auditing your REST API configurations and reviewing access logs for any anomalous chat modifications or `operation_admin` flag changes. This isn't just about data exposure; it's about maintaining trust in customer communication channels and preventing potential client-side attacks.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-44633 - Live Helper Chat API Unauthorized Chat Tampering
title: CVE-2026-44633 - Live Helper Chat API Unauthorized Chat Tampering
id: scw-2026-05-14-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-44633 by targeting the Live Helper Chat REST API chat update endpoint. This rule looks for POST requests to '/api/v2/chat/update' that include parameters commonly used in the exploit, such as 'chat_id', 'hash', 'status', and 'operation_admin', allowing unauthorized modification of chat data or potential execution of operator-side JavaScript.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44633/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/v2/chat/update'
cs-method:
- 'POST'
sc-status:
- '200'
selection_base:
cs-uri-query|contains:
- 'chat_id='
- 'hash='
- 'status='
cs-uri-query|contains:
- 'operation_admin='
condition: selection AND selection_base
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44633 | Auth Bypass | Live Helper Chat 4.84v REST API chat update endpoint allows user with lhchat/use to update chats in unreadable departments. |
| CVE-2026-44633 | Information Disclosure | Live Helper Chat 4.84v REST API chat update endpoint allows changing chat hash to access chat via visitor/widget paths. |
| CVE-2026-44633 | Code Injection | Live Helper Chat 4.84v REST API chat update endpoint allows setting operation_admin field, leading to operator-side JavaScript injection. |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 22:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver
CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the...
CVE-2026-45248 — The GET /Api/V1/Demo/Registered-Users Endpoint That Authentication Bypass
CVE-2026-45248 — Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information....
ZITADEL LDAP Filter Injection Exposes Usernames, Attributes
CVE-2026-44671 — ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity...