Authorization Bypass Through User-Controlled Key in livehelperchat/livehelperchat
Description
Authorization Bypass Through User-Controlled Key in Packagist remdex/livehelperchat prior to 3.92v.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authorization bypass vulnerability in Live Helper Chat allows any authenticated user to delete the admin account or the default admin group.
Vulnerability
An authorization bypass through user-controlled key vulnerability exists in remdex/livehelperchat prior to version 3.92v (CVE-2022-0266). The affected code paths in the administration panel lack proper access control checks when processing user or group deletion requests. Specifically, functions related to deleting user accounts and user groups do not validate that the requesting user has sufficient privileges [3]. The vulnerability is present in the lhc_web component of the application.
Exploitation
An attacker must be an authenticated user of the Live Helper Chat system with access to the administration area. The attacker can craft HTTP requests that specify a user_id or group_id parameter value of 1, which corresponds to the default administrator account or the default admin group. A commit comment in the fix confirms this check was missing: only the frontend logic prevented self-deletion, but the backend lacked the same verification [3]. Therefore, any authenticated user can trigger the deletion by sending the appropriate request.
Impact
A successful attack results in the deletion of the default administrator account (user ID 1) or the default admin group (group ID 1). This would effectively lock out legitimate administrators and disrupt the administration of the live chat system, leading to a denial of service for the application's management. The impact is limited to the availability of the admin interface and does not directly lead to data theft or remote code execution.
Mitigation
The vulnerability is fixed in version 3.92v and later. The commit cc1122aed0d1ad9f05757eaea2ab9e6a924776bd introduces explicit checks that prevent deletion of user ID 1 and group ID 1 even when the request passes authorization [2][3]. Users should upgrade to Live Helper Chat 3.92v or higher immediately. No workarounds are documented for unpatched versions; if upgrading is not possible, administrators should restrict access to the admin panel to only trusted users.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
remdex/livehelperchatPackagist | < 3.92 | 3.92 |
Affected products
3- osv-coords2 versions
< 3.92.0+ 1 more
- (no CPE)range: < 3.92.0
- (no CPE)range: < 3.92
- livehelperchat/livehelperchat/livehelperchatv5Range: unspecified
Patches
1cc1122aed0d1Display logic should match backand logic
2 files changed · +10 −0
lhc_web/modules/lhuser/deletegroup.php+5 −0 modified@@ -5,6 +5,11 @@ exit; } +if ((int)$Params['user_parameters']['group_id'] == 1) { + die('admin account never can be deleted!'); + exit; +} + erLhcoreClassGroup::deleteGroup((int)$Params['user_parameters']['group_id']); erLhcoreClassAdminChatValidatorHelper::clearUsersCache();
lhc_web/modules/lhuser/delete.php+5 −0 modified@@ -10,6 +10,11 @@ exit; } +if ((int)$Params['user_parameters']['user_id'] == 1) { + die('admin account never can be deleted!'); + exit; +} + $departament = erLhcoreClassUser::getSession()->load( 'erLhcoreClassModelUser', $Params['user_parameters']['user_id']); erLhcoreClassUser::getSession()->delete($departament);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-c7fm-jx59-wjf6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0266ghsaADVISORY
- github.com/livehelperchat/livehelperchat/commit/cc1122aed0d1ad9f05757eaea2ab9e6a924776bdghsax_refsource_MISCWEB
- huntr.dev/bounties/1ac267be-3af8-4774-89f2-77234d144d6bghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.