Typebot CVE-2026-39968
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 ("Credential Theft via Client-Side Script Execution and API Authorization Bypass") is incomplete. While the builder's getCredentials tRPC endpoint was patched with workspace membership checks, the bot-engine runtime still allows any authenticated user to use credentials from any workspace via the preview chat endpoint. The bot-engine's getCredentials() utility function uses a falsy check (if (workspaceId && ...)) for workspace ownership validation. Since the preview endpoint accepts a client-controlled workspaceId field and the Zod schema allows empty strings, an attacker can supply workspaceId: "" to bypass credential ownership verification entirely. Exploitation can result in credential exfiltration, external service abuse, financial damage and a data breach.
AnalysisAI
Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access credentials from arbitrary workspaces via the preview chat endpoint. The bot-engine's getCredentials() utility uses a falsy check on workspaceId, so supplying an empty string bypasses ownership validation entirely, enabling credential theft, external service abuse, and data breach. This is an incomplete fix for the prior advisory GHSA-4xc5-wfwc-jw47, and no public exploit has been identified at time of analysis though the patch commit is public.
Technical ContextAI
Typebot (cpe:2.3:a:baptistearno:typebot.io) is an open-source chatbot builder with a builder application and a bot-engine runtime that executes flows. Credentials (e.g., SMTP, API keys for integrations) are scoped to workspaces, and the prior fix added workspace membership checks to the builder's getCredentials tRPC endpoint. However, the bot-engine's preview chat path retained a flawed getCredentials() helper guarded by 'if (workspaceId && ...)', which short-circuits when workspaceId is falsy. Combined with a Zod input schema that permits empty strings for the client-controlled workspaceId field, the ownership check is skipped entirely. This is a CWE-284 (Improper Access Control) issue rooted in incomplete input validation and a permissive truthiness guard around the authorization gate.
RemediationAI
Vendor-released patch: upgrade to Typebot v3.16.0 or later (https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0), which moves the preview chat procedures behind authenticatedProcedure in a new builderChatRouter and changes startChatPreviewProcedure from procedureWithOptionalUser to protectedProcedure, per commit d96f572e6099c5f622c05ba7b8634e6477dcf052. If immediate upgrade is not possible, restrict account creation so that only trusted users can authenticate (closing self-service signups eliminates the PR:L attack surface), and consider temporarily disabling the preview chat endpoint at the reverse proxy by blocking the /v1/typebots/{typebotId}/preview/startChat and /v1/sessions/{sessionId}/continueChat routes - note this will break the in-builder preview feature for legitimate users. Review audit logs for unexpected use of credentials from workspaces other than their owner's, and rotate any credentials (SMTP, API keys, OAuth tokens) stored in Typebot workspaces that may have been exposed prior to patching.
More in Typebot Io
View allServer-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers
Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visi
Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collabor
Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to
Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared
Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe
Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSR
Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th
Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to
Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a b
Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex
Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including fre
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today