Skip to main content

Typebot CVE-2026-39966

MEDIUM
Incorrect Authorization (CWE-863)
2026-05-22 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 22, 2026 - 19:01 vuln.today
Analysis Generated
May 22, 2026 - 19:01 vuln.today

DescriptionGitHub Advisory

TypeBot is a chatbot builder tool. In versions 3.15.2, the getLinkedTypebots API endpoint returns full bot definitions to any authenticated user who references a target bot ID in a Typebot Link block, regardless of workspace ownership, leading to IDOR. The authorization check uses Array.filter() with an async callback - since filter() is synchronous, the callback always returns a truthy Promise, so the access control predicate is never actually evaluated. Any authenticated Typebot user can read the full definition of any other workspace's private bots, including: all conversation blocks and logic flow, variable values embedded in the bot (credentials, API keys, PII), webhook URLs and integration configurations. This issue has been fixed in version 3.16.0.

AnalysisAI

Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a broken authorization check in the getLinkedTypebots API endpoint, constituting a classic IDOR. The root cause is a JavaScript async/await misuse: Array.filter() is synchronous, so passing it an async callback causes every bot to pass the filter - the isReadTypebotForbidden predicate is never actually evaluated. Sensitive data leaked includes embedded credentials, API keys, PII stored as variables, webhook URLs, and integration configurations from any other user's private workspace bots. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the exposure of hardcoded secrets elevates practical risk significantly beyond the 6.5 CVSS score suggests.

Technical ContextAI

The vulnerability resides in apps/builder/src/features/blocks/logic/typebotLink/api/getLinkedTypebots.ts within the Typebot builder application (CPE: cpe:2.3:a:baptistearno:typebot.io:*:*:*:*:*:*:*:*). CWE-863 (Incorrect Authorization) describes the root cause precisely: the authorization predicate exists in code but is never correctly evaluated. In JavaScript, Array.prototype.filter() executes its callback synchronously and treats the return value as a boolean. When the callback is declared async, it returns a Promise object - which is always truthy regardless of the resolved value - causing every element to pass the filter unconditionally. The original code used .filter(async (typebot) => !(await isReadTypebotForbidden(typebot, user))), which silently bypassed the await and let all bots through. The fix, confirmed in commit b9530a089b43bfa6e79e3ff9cbfab921ce832f45, replaces this with Promise.all() to properly resolve all async access checks before applying a synchronous filter, ensuring isReadTypebotForbidden is actually evaluated per bot. The Typebot Link block feature - which allows chaining bots - is the attack surface since it accepts arbitrary bot IDs submitted by the client.

RemediationAI

Upgrade Typebot to version 3.16.0 immediately, as confirmed by the vendor release at https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0 and the fixing commit b9530a089b43bfa6e79e3ff9cbfab921ce832f45. The patch surgically replaces the async-in-filter anti-pattern with a proper Promise.all() resolution loop, correctly enforcing workspace-level access controls on all bot lookups. If immediate upgrade is not possible, a compensating control is to restrict authenticated API access to the getLinkedTypebots endpoint at the network or reverse-proxy layer for untrusted user segments - note this will break legitimate cross-workspace bot linking functionality for affected users. Additionally, organizations should audit embedded bot variables in their Typebot workspaces for hardcoded credentials, API keys, and PII, and rotate any secrets that may have been accessible during the exposure window, since the vulnerability allowed silent read access with no logging of unauthorized access in the affected version.

CVE-2026-33712 CRITICAL
10.0 May 22

Server-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers

CVE-2026-48768 CRITICAL
9.3 Jun 17

Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visi

CVE-2026-28445 HIGH
8.7 May 22

Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collabor

CVE-2026-48764 HIGH
8.2 Jun 17

Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to

CVE-2026-49213 HIGH
8.1 Jul 10

Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared

CVE-2026-39965 HIGH
7.7 May 22

Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe

CVE-2026-34207 HIGH
7.6 May 22

Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSR

CVE-2026-48759 HIGH
7.1 Jun 17

Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th

CVE-2026-39968 HIGH
7.1 May 22

Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access creden

CVE-2026-39969 MEDIUM
6.5 May 22

Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to

CVE-2026-28444 MEDIUM
6.5 May 22

Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex

CVE-2026-39964 MEDIUM
5.4 May 22

Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including fre

Share

CVE-2026-39966 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy