Typebot CVE-2026-39966
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
TypeBot is a chatbot builder tool. In versions 3.15.2, the getLinkedTypebots API endpoint returns full bot definitions to any authenticated user who references a target bot ID in a Typebot Link block, regardless of workspace ownership, leading to IDOR. The authorization check uses Array.filter() with an async callback - since filter() is synchronous, the callback always returns a truthy Promise, so the access control predicate is never actually evaluated. Any authenticated Typebot user can read the full definition of any other workspace's private bots, including: all conversation blocks and logic flow, variable values embedded in the bot (credentials, API keys, PII), webhook URLs and integration configurations. This issue has been fixed in version 3.16.0.
AnalysisAI
Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a broken authorization check in the getLinkedTypebots API endpoint, constituting a classic IDOR. The root cause is a JavaScript async/await misuse: Array.filter() is synchronous, so passing it an async callback causes every bot to pass the filter - the isReadTypebotForbidden predicate is never actually evaluated. Sensitive data leaked includes embedded credentials, API keys, PII stored as variables, webhook URLs, and integration configurations from any other user's private workspace bots. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the exposure of hardcoded secrets elevates practical risk significantly beyond the 6.5 CVSS score suggests.
Technical ContextAI
The vulnerability resides in apps/builder/src/features/blocks/logic/typebotLink/api/getLinkedTypebots.ts within the Typebot builder application (CPE: cpe:2.3:a:baptistearno:typebot.io:*:*:*:*:*:*:*:*). CWE-863 (Incorrect Authorization) describes the root cause precisely: the authorization predicate exists in code but is never correctly evaluated. In JavaScript, Array.prototype.filter() executes its callback synchronously and treats the return value as a boolean. When the callback is declared async, it returns a Promise object - which is always truthy regardless of the resolved value - causing every element to pass the filter unconditionally. The original code used .filter(async (typebot) => !(await isReadTypebotForbidden(typebot, user))), which silently bypassed the await and let all bots through. The fix, confirmed in commit b9530a089b43bfa6e79e3ff9cbfab921ce832f45, replaces this with Promise.all() to properly resolve all async access checks before applying a synchronous filter, ensuring isReadTypebotForbidden is actually evaluated per bot. The Typebot Link block feature - which allows chaining bots - is the attack surface since it accepts arbitrary bot IDs submitted by the client.
RemediationAI
Upgrade Typebot to version 3.16.0 immediately, as confirmed by the vendor release at https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0 and the fixing commit b9530a089b43bfa6e79e3ff9cbfab921ce832f45. The patch surgically replaces the async-in-filter anti-pattern with a proper Promise.all() resolution loop, correctly enforcing workspace-level access controls on all bot lookups. If immediate upgrade is not possible, a compensating control is to restrict authenticated API access to the getLinkedTypebots endpoint at the network or reverse-proxy layer for untrusted user segments - note this will break legitimate cross-workspace bot linking functionality for affected users. Additionally, organizations should audit embedded bot variables in their Typebot workspaces for hardcoded credentials, API keys, and PII, and rotate any secrets that may have been accessible during the exposure window, since the vulnerability allowed silent read access with no logging of unauthorized access in the affected version.
More in Typebot Io
View allServer-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers
Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visi
Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collabor
Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to
Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared
Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe
Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSR
Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th
Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access creden
Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to
Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex
Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including fre
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today