Live Helper Chat

v4.86v Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 8d Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

ai ai-chatbot audio-call chat chat-application live-help

+4 more

live-support livehelp screenshare video-call

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 8d

The release removes LDAP authentication components and hardens the forgot‑password flow with a constant‑time delay. It also updates password hashing methods.

Why it matters: Removal of LDAP impacts any deployments relying on that auth method; constant‑time delays in forgot‑password mitigate timing attacks, critical for security‑sensitive flows.

Summary

AI summary

Added real-time performance dashboard widgets and hardened authentication flows.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	High	Removed LDAP authentication components. Removed LDAP authentication components. Source: llm_adapter@2026-05-26 Confidence: high	—
Security	High	Added constant-time response delay in forgot-password flow to mitigate timing attacks. Added constant-time response delay in forgot-password flow to mitigate timing attacks. Source: llm_adapter@2026-05-26 Confidence: high	—
Security	Medium	Updated hashing methods for login and password update flows; implemented expired hash cleanup. Updated hashing methods for login and password update flows; implemented expired hash cleanup. Source: llm_adapter@2026-05-26 Confidence: high	—
Feature
Feature	Medium	Added new `dep_performance` and `op_performance` dashboard widgets for real‑time department and operator stats. Added new `dep_performance` and `op_performance` dashboard widgets for real‑time department and operator stats. Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Medium	Introduced `Performance` and `PerformanceWidgets` models to store/retrieve serialized performance snapshots. Introduced `Performance` and `PerformanceWidgets` models to store/retrieve serialized performance snapshots. Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Medium	Added `cron/stats/performance` cron job to aggregate department and operator performance data into `lh_abstract_performance` table. Added `cron/stats/performance` cron job to aggregate department and operator performance data into `lh_abstract_performance` table. Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Medium	Added switch‑editor option in active chat tab and new permission for operators to toggle between editors. Added switch‑editor option in active chat tab and new permission for operators to toggle between editors. Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Medium	Enhanced bot and event system: added support for invisible arguments, transfer‑to‑human dispatch, and custom online status checks. Enhanced bot and event system: added support for invisible arguments, transfer‑to‑human dispatch, and custom online status checks. Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Medium	Introduced `PerformanceWidgets` model to provide formatted data for dashboard sync with access‑control filtering. Introduced `PerformanceWidgets` model to provide formatted data for dashboard sync with access‑control filtering. Source: granite4.1:30b@2026-05-26-audit Confidence: low	—
Feature	Low	Enhanced export functionality with ChatML support and UI improvements; fixed compatibility with non‑strict sql_mode for certain reports. Enhanced export functionality with ChatML support and UI improvements; fixed compatibility with non‑strict sql_mode for certain reports. Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	Fixed matching rule search and minor issues such as string conversion errors and typo corrections. Fixed matching rule search and minor issues such as string conversion errors and typo corrections. Source: llm_adapter@2026-05-26 Confidence: high	—

Full changelog

Notable changes since 4.85v
- Performance statistics dashboard widgets: added new dep_performance and op_performance dashboard widgets that display real-time aggregated statistics for departments and operators respectively; widgets support configurable columns (chats received, chats answered, wait time, first/average response time, thumbs up/down, online/offline time) with configurable position and update intervals; new settings UI under Statistics for both department and operator performance configuration.
- Performance stats cron aggregator: new cron job (cron/stats/performance) aggregates department and operator performance data into the new lh_abstract_performance table; supports forced regeneration via -p force; configurable update interval and day range; cron respects sql_mode and local timezone settings.
- New Performance and PerformanceWidgets models: Performance model stores/retrieves serialized performance snapshots; PerformanceWidgets provides formatted data for dashboard sync, including per-department and per-operator stats with access-control filtering.
- Security and authentication hardening: improved password verification logic in REST API validator; added constant-time response delay in forgot-password flow to mitigate timing attacks; updated hashing methods for login and password update flows; implemented expired hash cleanup (deleteExpiredHashes) called from setRemindHash, remindpassword, and forgotpassword modules; removed LDAP authentication components; updated autologin with nonce support and improved hash validation; masked error messages for users without access to unhidden emails in send and reply APIs.
- Bot and event system: enhanced chat variable update handling and event dispatching; ignored default trigger message when a trigger is started manually; added support for invisible arguments in bot triggers; added event dispatch for transfer-to-human action; added event argument for custom is-online status checks.
- Editor and operator UI: added switch-editor option in active chat tab and a new permission for operators to toggle between new and old editors; added icons and colors to the transfer window; increased subject modal window width; fixed form loading scroll event; avoided null being displayed before a chat starts.
- Export and reports: enhanced export functionality with ChatML support and UI improvements; fixed compatibility with non-strict sql_mode for certain reports.
- Bug fixes: fixed matching rule search; minor fixes including string conversion and typo corrections.
Summary
- This release introduces a new real-time performance dashboard with configurable department and operator widgets backed by a cron aggregator and a dedicated lh_abstract_performance table.
- Security is hardened across authentication flows: stronger hashing, timing-safe responses, expired hash cleanup, autologin nonce support, and LDAP removal.
- Operator productivity is improved with a switchable editor, richer transfer UI, and expanded bot/event capabilities. Export and report compatibility are also addressed.

execute doc/update_db/update_352.sql for update

Full Changelog: https://github.com/LiveHelperChat/livehelperchat/compare/4.85v...4.86v

Contributors

7megaumka7

Breaking Changes

Removed LDAP authentication components.

Security Fixes

Improved password verification logic in REST API validator; added constant-time delay in forgot-password flow to mitigate timing attacks; updated hashing methods for login and password update flows; implemented expired hash cleanup (deleteExpiredHashes) called from setRemindHash, remindpassword, and forgotpassword modules; masked error messages for users without access to unhidden emails.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Live Helper Chat

Get notified when new releases ship.

About Live Helper Chat

Live Support chat for your website.

All releases →