Skip to main content

Typebot CVE-2026-39968

HIGH
Improper Access Control (CWE-284)
2026-05-22 GitHub_M
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 22, 2026 - 19:00 vuln.today
Analysis Generated
May 22, 2026 - 19:00 vuln.today

DescriptionGitHub Advisory

TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 ("Credential Theft via Client-Side Script Execution and API Authorization Bypass") is incomplete. While the builder's getCredentials tRPC endpoint was patched with workspace membership checks, the bot-engine runtime still allows any authenticated user to use credentials from any workspace via the preview chat endpoint. The bot-engine's getCredentials() utility function uses a falsy check (if (workspaceId && ...)) for workspace ownership validation. Since the preview endpoint accepts a client-controlled workspaceId field and the Zod schema allows empty strings, an attacker can supply workspaceId: "" to bypass credential ownership verification entirely. Exploitation can result in credential exfiltration, external service abuse, financial damage and a data breach.

AnalysisAI

Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access credentials from arbitrary workspaces via the preview chat endpoint. The bot-engine's getCredentials() utility uses a falsy check on workspaceId, so supplying an empty string bypasses ownership validation entirely, enabling credential theft, external service abuse, and data breach. This is an incomplete fix for the prior advisory GHSA-4xc5-wfwc-jw47, and no public exploit has been identified at time of analysis though the patch commit is public.

Technical ContextAI

Typebot (cpe:2.3:a:baptistearno:typebot.io) is an open-source chatbot builder with a builder application and a bot-engine runtime that executes flows. Credentials (e.g., SMTP, API keys for integrations) are scoped to workspaces, and the prior fix added workspace membership checks to the builder's getCredentials tRPC endpoint. However, the bot-engine's preview chat path retained a flawed getCredentials() helper guarded by 'if (workspaceId && ...)', which short-circuits when workspaceId is falsy. Combined with a Zod input schema that permits empty strings for the client-controlled workspaceId field, the ownership check is skipped entirely. This is a CWE-284 (Improper Access Control) issue rooted in incomplete input validation and a permissive truthiness guard around the authorization gate.

RemediationAI

Vendor-released patch: upgrade to Typebot v3.16.0 or later (https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0), which moves the preview chat procedures behind authenticatedProcedure in a new builderChatRouter and changes startChatPreviewProcedure from procedureWithOptionalUser to protectedProcedure, per commit d96f572e6099c5f622c05ba7b8634e6477dcf052. If immediate upgrade is not possible, restrict account creation so that only trusted users can authenticate (closing self-service signups eliminates the PR:L attack surface), and consider temporarily disabling the preview chat endpoint at the reverse proxy by blocking the /v1/typebots/{typebotId}/preview/startChat and /v1/sessions/{sessionId}/continueChat routes - note this will break the in-builder preview feature for legitimate users. Review audit logs for unexpected use of credentials from workspaces other than their owner's, and rotate any credentials (SMTP, API keys, OAuth tokens) stored in Typebot workspaces that may have been exposed prior to patching.

CVE-2026-33712 CRITICAL
10.0 May 22

Server-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers

CVE-2026-48768 CRITICAL
9.3 Jun 17

Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visi

CVE-2026-28445 HIGH
8.7 May 22

Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collabor

CVE-2026-48764 HIGH
8.2 Jun 17

Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to

CVE-2026-49213 HIGH
8.1 Jul 10

Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared

CVE-2026-39965 HIGH
7.7 May 22

Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe

CVE-2026-34207 HIGH
7.6 May 22

Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSR

CVE-2026-48759 HIGH
7.1 Jun 17

Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th

CVE-2026-39969 MEDIUM
6.5 May 22

Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to

CVE-2026-39966 MEDIUM
6.5 May 22

Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a b

CVE-2026-28444 MEDIUM
6.5 May 22

Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex

CVE-2026-39964 MEDIUM
5.4 May 22

Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including fre

Share

CVE-2026-39968 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy