Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.9
Live Helper Chat: Operators can manage chats outside assigned departments
CVE-2026-27954
Summary
Live Helper Chat versions up to 4.52 allow operators with certain permissions to manage chats in departments they're not assigned to. This can lead to unauthorized access and actions. Until a patch is released, update to the latest version or consider using a different support chat software.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| livehelperchat | live_helper_chat | <= 4.52 | – |
Original title
Live Helper Chat is an open-source application that enables live support websites. In versions up to and including 4.52, three chat action endpoints (holdaction.php, blockuser.php, and transfercha...
Original description
Live Helper Chat is an open-source application that enables live support websites. In versions up to and including 4.52, three chat action endpoints (holdaction.php, blockuser.php, and transferchat.php) load chat objects by ID without calling `erLhcoreClassChat::hasAccessToRead()`, allowing operators to act on chats in departments they are not assigned to. Operators with the relevant role permissions (holduse, allowblockusers, allowtransfer) can hold, block users from, or transfer chats in departments they are not assigned to. This is a horizontal privilege escalation within one organization. As of time of publication, no known patched versions are available.
nvd CVSS3.1
6.5
nvd CVSS4.0
4.9
Vulnerability type
CWE-862
Missing Authorization
- https://github.com/LiveHelperChat/livehelperchat/security/advisories/GHSA-87wc-2... Mitigation Vendor Advisory
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026