Submit #772515: chatwoot 4.11.1 Business Logic Errorsinfo

Titlechatwoot 4.11.1 Business Logic Errors
DescriptionSummary The Chatwoot contains a business logic vulnerability that allows attackers to bypass the intended signup restriction mechanism. The application checks the response from the server (signupEnabled - Chatwoot config value) to determine whether new user registration is permitted. By intercepting and modifying the server response (using a proxy tool such as Burp Suite), an attacker can change the value of signupEnabled from false to true. Because the server does not properly enforce this restriction with server-side validation, the manipulated value is accepted, allowing unauthorized users to register accounts (administrative) even when the signup functionality is intended to be disabled. Details Vulnerable Endpoint: GET /app/login HTTP/2 Host: chatwoot.example.com
User
 Zabi_Ullah (UID 96130)
Submission03/05/2026 07:35 (4 months ago)
Moderation03/27/2026 14:48 (22 days later)
StatusAccepted
VulDB entry353877 [chatwoot up to 4.11.1 Signup Endpoint /app/login signupEnabled improper authorization]
Points17

Want to know what is going to be exploited?

We predict KEV entries!