Skip to main content

Typebot CVE-2026-34207

HIGH
Improper Input Validation (CWE-20)
2026-05-22 GitHub_M
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 22, 2026 - 17:45 vuln.today
Analysis Generated
May 22, 2026 - 17:45 vuln.today

DescriptionGitHub Advisory

TypeBot is a chatbot builder tool. SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostname literals, and literal IP formats. It does not resolve DNS before allowing the request. As a result, a hostname such as ssrf-repro.example that resolves to 127.0.0.1, 169.254.169.254, or RFC1918/private space passes validation and is later fetched by the backend HTTP client. This enables server-side request forgery to loopback, cloud metadata, and private network targets. This issue has been resolved in version 3.16.0.

AnalysisAI

Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSRF protections in Webhook and HTTP Request blocks by supplying attacker-controlled hostnames that resolve via DNS to loopback (127.0.0.1), cloud metadata (169.254.169.254), or RFC1918 private addresses. The validation logic only inspected the URL string and literal IP formats without performing DNS resolution, so a benign-looking domain could route the backend HTTP client to internal targets. No public exploit identified at time of analysis, though the GitHub Security Advisory and fix commit are publicly visible.

Technical ContextAI

Typebot is an open-source chatbot builder maintained by baptisteArno (CPE cpe:2.3:a:baptistearno:typebot.io). The vulnerable component is the HTTP Request integration block (packages/bot-engine/src/blocks/integrations/httpRequest/executeHttpRequestBlock.ts) which used the ky HTTP client directly against user-supplied URLs. The root cause maps to CWE-20 (Improper Input Validation): URL validation checked the textual form against a blocklist of literal hostnames and IP-formatted strings, but never resolved the hostname to its actual A/AAAA records before issuing the request. This is a classic DNS-rebinding-class SSRF gap where validation and resolution are decoupled. The fix introduces a safeKy wrapper that performs DNS resolution and rejects link-local (169.254.0.0/16), loopback, and private (e.g., 10.0.0.0/8) destinations, and additionally hardens against redirect-chain bypasses by validating each Location header before following with a maxRedirects cap of 10.

RemediationAI

Vendor-released patch: upgrade to Typebot 3.16.0 or later, which replaces the unguarded ky client with a safeKy wrapper that performs DNS resolution and blocks loopback, link-local, and RFC1918 destinations, and validates each redirect target (see commit https://github.com/baptisteArno/typebot.io/commit/23818bb0e54db23c456ee3fa6b12d82b2af848b8 and advisory https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-grcc-6x37-wwgp). If immediate upgrade is not possible, restrict the Typebot backend's network egress at the host or cloud layer by denying outbound traffic to 127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 (trade-off: legitimate internal webhooks to these ranges will break), require IMDSv2 with hop-limit 1 on AWS to block cloud-metadata exfiltration via SSRF (trade-off: applications using IMDSv1 must be updated), and tighten account provisioning so only trusted authors can create HTTP Request/Webhook blocks since exploitation requires PR:L.

CVE-2026-33712 CRITICAL
10.0 May 22

Server-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers

CVE-2026-48768 CRITICAL
9.3 Jun 17

Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visi

CVE-2026-28445 HIGH
8.7 May 22

Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collabor

CVE-2026-48764 HIGH
8.2 Jun 17

Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to

CVE-2026-49213 HIGH
8.1 Jul 10

Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared

CVE-2026-39965 HIGH
7.7 May 22

Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe

CVE-2026-48759 HIGH
7.1 Jun 17

Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th

CVE-2026-39968 HIGH
7.1 May 22

Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access creden

CVE-2026-39969 MEDIUM
6.5 May 22

Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to

CVE-2026-39966 MEDIUM
6.5 May 22

Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a b

CVE-2026-28444 MEDIUM
6.5 May 22

Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex

CVE-2026-39964 MEDIUM
5.4 May 22

Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including fre

Share

CVE-2026-34207 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy