Skip to main content

Typebot CVE-2026-39965

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-22 GitHub_M
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 22, 2026 - 18:15 vuln.today
Analysis Generated
May 22, 2026 - 18:15 vuln.today

DescriptionGitHub Advisory

TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain an SSRF via Open Redirect Bypass as the HTTP Request block and Code block validate the initial request URL via validateHttpReqUrl() to block private IPs and cloud metadata hostnames. However, the HTTP clients (ky and fetch) follow 302 redirects without re-validating the redirect destination. An authenticated user can point a bot block to an attacker-controlled server that responds with a redirect to an internal IP, causing the Typebot server to reach internal services. An authenticated Typebot user can reach AWS metadata (169.254.169.254), private subnets, and container-internal services. Exploitable to extract cloud IAM credentials or probe internal APIs inaccessible from the internet. This issue has been fixed in version 3.16.0.

AnalysisAI

Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpReqUrl() SSRF filter by chaining an attacker-controlled HTTP 302 redirect, since the underlying ky and fetch clients follow redirects without re-validating the destination. This enables reaching AWS instance metadata at 169.254.169.254, private subnets, and container-internal services from the Typebot server, with realistic impact including theft of cloud IAM credentials. No public exploit identified at time of analysis, and the issue is fixed in version 3.16.0.

Technical ContextAI

Typebot (cpe:2.3:a:baptistearno:typebot.io) is an open-source chatbot builder whose HTTP Request and Code blocks let bot authors issue outbound HTTP calls from the server. The product implements a denylist-style SSRF guard (validateHttpReqUrl()) that inspects only the initial URL to reject private IP ranges and cloud metadata hostnames, but the HTTP transports used (ky on top of native fetch) transparently follow 302 redirects without invoking that validator again. This is a textbook CWE-918 (Server-Side Request Forgery) realized through an open-redirect-style bypass - the root cause is performing input validation only at the entry point rather than on every network hop the client traverses.

RemediationAI

Vendor-released patch: upgrade to Typebot 3.16.0 or later, as published at https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0 with advisory GHSA-jxv3-m939-w95c. If an immediate upgrade is not feasible, compensating controls include configuring the HTTP client (ky/fetch) to disable automatic redirect following or to re-run validateHttpReqUrl() on every redirect Location header, with the trade-off that legitimate workflows depending on redirect-based APIs (URL shorteners, OAuth-style flows) will break; at the network layer, block egress from the Typebot server to 169.254.169.254/32, RFC1918 ranges, and the container/Kubernetes internal CIDRs (this prevents the SSRF payoff but breaks any intentional internal HTTP calls the bot needs), and on AWS specifically enforce IMDSv2 with a hop limit of 1 to neutralize metadata credential theft from the application container. Restricting who can create or modify HTTP Request and Code blocks to a small, trusted set of editors is a temporary access-control mitigation but does not eliminate insider risk.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2026-39965 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy