Typebot CVE-2026-39967
LOWSeverity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the bot engine's the findResult query does not filter results by typebotId, allowing an authenticated user to load result data (user answers, variable values) from a different typebot by supplying a foreign resultId to the startChat endpoint. Exploitation is constrained by CUID2's cryptographically random 24-character IDs (making brute-force infeasible), the requirement that rememberUser be enabled, and the need for matching variable names in the current typebot. If successfully exploited, an attacker can access the original user's previous answers, session variable values, and hasStarted flag, potentially exposing PII like names, emails, and phone numbers. This issue has been fixed in version 3.16.0.
AnalysisAI
Cross-typebot result data leakage in Typebot versions 3.15.2 and prior allows an authenticated user to read session variables, prior answers, and PII from a different typebot by supplying a foreign resultId to the startChat endpoint. The bot engine's findResult query omits typebotId from its database filter (CWE-639 IDOR), so any valid result record is returned regardless of which typebot owns it. If the attacker possesses a valid CUID2 resultId from another typebot and that typebot has rememberUser enabled, they can read the original user's names, emails, phone numbers, and other session variables exposed through matching variable names. No public exploit has been identified at time of analysis; vendor-released patch is available in version 3.16.0.
Technical ContextAI
Typebot (CPE: cpe:2.3:a:baptistearno:typebot.io) is a Node.js/TypeScript chatbot builder that persists session results in a database accessed via Prisma ORM. The vulnerable code path is in packages/bot-engine/src/queries/findResult.ts, where the Prisma where clause queried only on { id, isArchived: { not: true } }, entirely omitting the typebotId ownership check. This is a textbook CWE-639 (Authorization Bypass Through User-Controlled Key) - the application uses a user-supplied CUID2 result ID as the sole lookup key without verifying that the requesting session's typebot owns that record. The fix, committed at 73162634e6bdebd37a1a571db4062d30854e0400, adds typebotId to both the findResult function signature and the Prisma where clause, enforcing ownership at the query level. Exploitation additionally requires the rememberUser feature to be active on the target typebot, as that is the mechanism that associates a resultId with a returning session.
RemediationAI
Vendor-released patch: version 3.16.0. Upgrade to Typebot v3.16.0 immediately, available at https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0. The fix adds typebotId ownership enforcement to the findResult Prisma query (commit 73162634e6bdebd37a1a571db4062d30854e0400), closing the IDOR at the database layer. For operators unable to upgrade immediately, a targeted workaround is to disable the rememberUser feature across all typebots on the instance, as exploitation requires this feature to be active - note this will break returning-user session continuity. Additionally, restricting bot creation rights to trusted users only reduces the authenticated-attacker surface in multi-tenant deployments. There are no other known compensating controls that fully mitigate the authorization bypass without patching.
More in Typebot Io
View allServer-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers
Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visi
Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collabor
Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to
Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared
Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe
Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSR
Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th
Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access creden
Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to
Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a b
Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today