Typebot CVE-2026-39969
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint (POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook) does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both workspaceId and credentialsId as path parameters, which are logged in web server access logs, visible in Meta's webhook configuration dashboard, and potentially shared when configuring integrations. This allows any unauthenticated attacker to send spoofed webhook messages to trigger bot flows, consume API resources, and interact with external services using the workspace owner's credentials. The issue has been fixed in version 3.17.0.
AnalysisAI
Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to unauthenticated webhook spoofing by any network-accessible attacker. The endpoint POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook ignores the x-hub-signature-256 header that Meta includes with every legitimate delivery, and because both path parameters are semi-public by design - appearing in web server access logs and Meta's webhook configuration dashboard - the attack surface is readily discoverable. Successful exploitation allows an attacker to trigger arbitrary bot automation flows, consume API resources, and abuse external service integrations using the workspace owner's stored credentials. No public exploit identified at time of analysis; vendor-released patch available in version 3.17.0.
Technical ContextAI
The vulnerability resides in the WhatsApp Cloud API webhook integration of typebot.io (CPE: cpe:2.3:a:baptistearno:typebot.io:*:*:*:*:*:*:*:*). Meta's webhook delivery protocol requires receivers to verify an x-hub-signature-256 HMAC-SHA256 header computed against the raw request body using a shared app secret; this is the sole mechanism that distinguishes legitimate Meta-originated events from arbitrary attacker-crafted payloads. The affected endpoint omits this check entirely, mapping directly to CWE-287 (Improper Authentication). Compounding the risk, the endpoint embeds both workspaceId and credentialsId as URL path parameters, which are logged in web server access logs, visible in Meta's developer webhook configuration dashboard, and likely present in any shared integration setup documentation - making the URL practically discoverable without any reconnaissance beyond normal integration workflows.
RemediationAI
Upgrade to Typebot version 3.17.0, which includes a confirmed fix for WhatsApp webhook signature verification via commit e296c87 (PR #2498 'Fix WhatsApp webhook verification'). The release is available at https://github.com/baptisteArno/typebot.io/releases/tag/v3.17.0 and the security advisory is at https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8vqp-r5w7-v47f. For deployments that cannot immediately upgrade, a targeted compensating control is to restrict access to the /v1/workspaces/*/whatsapp/*/webhook path at the reverse-proxy or WAF layer to only Meta's published webhook delivery IP ranges; note this requires maintaining an up-to-date allowlist and will break delivery if Meta's ranges change. Alternatively, disabling the WhatsApp Cloud API integration entirely eliminates the attack surface at the cost of WhatsApp functionality. After patching, rotating WhatsApp Cloud API credentials is advisable if any unauthorized webhook activity is suspected.
More in Typebot Io
View allServer-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers
Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visi
Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collabor
Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to
Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared
Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe
Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSR
Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th
Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access creden
Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a b
Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex
Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including fre
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today