From 885f6eb124d416a4071b750a240f2d92ded11513 Mon Sep 17 00:00:00 2001 From: Gabriel Peralta Date: Wed, 27 May 2026 09:31:29 -0300 Subject: [PATCH] Chatwoot: Support allowlisted private API inbox webhooks Self-hosted installations can now opt SafeFetch into private-network access after SSRF hardening. The default remains unchanged: private IP destinations are blocked unless the instance owner explicitly enables private-network requests with SAFE_FETCH_ALLOW_PRIVATE_NETWORK=true This is a breaking change if you use latest tag and have evolution-api or similar deployed on coolify alongside chatwoot. --- templates/compose/chatwoot.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/compose/chatwoot.yaml b/templates/compose/chatwoot.yaml index 407e82bb3..87aaa2c05 100644 --- a/templates/compose/chatwoot.yaml +++ b/templates/compose/chatwoot.yaml @@ -38,6 +38,7 @@ services: - SMTP_USERNAME=${CHATWOOT_SMTP_USERNAME} - SMTP_PASSWORD=${CHATWOOT_SMTP_PASSWORD} - ACTIVE_STORAGE_SERVICE=${ACTIVE_STORAGE_SERVICE:-local} + - SAFE_FETCH_ALLOW_PRIVATE_NETWORK=${SAFE_FETCH_ALLOW_PRIVATE_NETWORK:-false} entrypoint: docker/entrypoints/rails.sh command: sh -c "bundle exec rails db:chatwoot_prepare && bundle exec rails s -p 3000 -b 0.0.0.0" volumes: