Skip to main content

Typebot CVE-2026-39967

LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-22 GitHub_M
3.1
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 22, 2026 - 19:30 vuln.today
Analysis Generated
May 22, 2026 - 19:30 vuln.today

DescriptionGitHub Advisory

TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the bot engine's the findResult query does not filter results by typebotId, allowing an authenticated user to load result data (user answers, variable values) from a different typebot by supplying a foreign resultId to the startChat endpoint. Exploitation is constrained by CUID2's cryptographically random 24-character IDs (making brute-force infeasible), the requirement that rememberUser be enabled, and the need for matching variable names in the current typebot. If successfully exploited, an attacker can access the original user's previous answers, session variable values, and hasStarted flag, potentially exposing PII like names, emails, and phone numbers. This issue has been fixed in version 3.16.0.

AnalysisAI

Cross-typebot result data leakage in Typebot versions 3.15.2 and prior allows an authenticated user to read session variables, prior answers, and PII from a different typebot by supplying a foreign resultId to the startChat endpoint. The bot engine's findResult query omits typebotId from its database filter (CWE-639 IDOR), so any valid result record is returned regardless of which typebot owns it. If the attacker possesses a valid CUID2 resultId from another typebot and that typebot has rememberUser enabled, they can read the original user's names, emails, phone numbers, and other session variables exposed through matching variable names. No public exploit has been identified at time of analysis; vendor-released patch is available in version 3.16.0.

Technical ContextAI

Typebot (CPE: cpe:2.3:a:baptistearno:typebot.io) is a Node.js/TypeScript chatbot builder that persists session results in a database accessed via Prisma ORM. The vulnerable code path is in packages/bot-engine/src/queries/findResult.ts, where the Prisma where clause queried only on { id, isArchived: { not: true } }, entirely omitting the typebotId ownership check. This is a textbook CWE-639 (Authorization Bypass Through User-Controlled Key) - the application uses a user-supplied CUID2 result ID as the sole lookup key without verifying that the requesting session's typebot owns that record. The fix, committed at 73162634e6bdebd37a1a571db4062d30854e0400, adds typebotId to both the findResult function signature and the Prisma where clause, enforcing ownership at the query level. Exploitation additionally requires the rememberUser feature to be active on the target typebot, as that is the mechanism that associates a resultId with a returning session.

RemediationAI

Vendor-released patch: version 3.16.0. Upgrade to Typebot v3.16.0 immediately, available at https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0. The fix adds typebotId ownership enforcement to the findResult Prisma query (commit 73162634e6bdebd37a1a571db4062d30854e0400), closing the IDOR at the database layer. For operators unable to upgrade immediately, a targeted workaround is to disable the rememberUser feature across all typebots on the instance, as exploitation requires this feature to be active - note this will break returning-user session continuity. Additionally, restricting bot creation rights to trusted users only reduces the authenticated-attacker surface in multi-tenant deployments. There are no other known compensating controls that fully mitigate the authorization bypass without patching.

CVE-2026-33712 CRITICAL
10.0 May 22

Server-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers

CVE-2026-48768 CRITICAL
9.3 Jun 17

Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visi

CVE-2026-28445 HIGH
8.7 May 22

Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collabor

CVE-2026-48764 HIGH
8.2 Jun 17

Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to

CVE-2026-49213 HIGH
8.1 Jul 10

Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared

CVE-2026-39965 HIGH
7.7 May 22

Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe

CVE-2026-34207 HIGH
7.6 May 22

Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSR

CVE-2026-48759 HIGH
7.1 Jun 17

Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th

CVE-2026-39968 HIGH
7.1 May 22

Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access creden

CVE-2026-39969 MEDIUM
6.5 May 22

Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to

CVE-2026-39966 MEDIUM
6.5 May 22

Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a b

CVE-2026-28444 MEDIUM
6.5 May 22

Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex

Share

CVE-2026-39967 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy