Typebot CVE-2026-48764
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Remote unauthenticated SSRF via DNS rebinding against public bot URL inputs; high confidentiality from metadata/credential disclosure, low integrity via internal POST endpoints, no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
TypeBot is a chatbot builder tool. In versions prior to 3.17.2, SSRF validation is implemented by resolving a hostname once and checking whether the resolved IP belongs to a forbidden range allowing for DNS rebinding bypass. The root cause is a time-of-check to time-of-use gap in the SSRF guard. The validator resolves the hostname and approves it, but the later request path performs a fresh resolution and connects to whatever IP the hostname maps to at that moment. The actual outbound request is then performed later using the original hostname, without pinning the validated IP to the network connection. An attacker who can supply a URL to a public bot that performs a server-side HTTP Request block or server-side script fetch can use DNS rebinding to pass the initial validation and still force the server to connect to a private or metadata address during the real request. This enables server-side access to private network services, cloud metadata endpoints, and other internal HTTP targets that the validator was intended to block. The exact downstream impact depends on the reachable internal services. Concrete consequences include metadata disclosure, access to internal admin panels, credential theft from metadata services, and further compromise through internal-only HTTP interfaces. This issue has been fixed in version 3.17.2.
AnalysisAI
Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to bypass SSRF protections via DNS rebinding, reaching internal services and cloud metadata endpoints. The validator resolves a hostname once for allowlist checks, but the subsequent HTTP request performs a fresh DNS resolution without IP pinning, creating a time-of-check to time-of-use (TOCTOU) gap. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a publicly reachable Typebot instance running a version prior to 3.17.2 that exposes a bot configured with either a server-side HTTP Request block or a server-side script fetch primitive, and where the attacker can supply or influence the URL passed to that block. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 3.1 score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) reflects an unauthenticated network-reachable attack against any publicly exposed Typebot instance that exposes a bot capable of HTTP Request blocks or server-side script fetches. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or interacts with a public Typebot bot that uses an HTTP Request block, supplies a URL pointing to an attacker-controlled domain whose DNS server alternates responses between a public IP (passes validation) and 169.254.169.254 (returned at fetch time). Typebot's validator approves the hostname against its first resolution, then the HTTP client re-resolves and connects to the AWS metadata service, returning IAM role credentials to the attacker via the bot's response. … |
| Remediation | Vendor-released patch: upgrade Typebot to version 3.17.2 or later (https://github.com/baptisteArno/typebot.io/releases/tag/v3.17.2), which adds IP pinning between validation and request execution and additionally blocks IPv6 unspecified address variants (commit f56c3c3f771df13a8c11e88f500dfdd78981bed1). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Typebot deployments and assess their network exposure; implement immediate network segmentation to block outbound connections from Typebot to cloud metadata service ranges (169.254.169.254/32 for AWS, equivalent for other cloud providers) and internal IP ranges; enable egress monitoring. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Typebot Io
View allServer-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers
Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visi
Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collabor
Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared
Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe
Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSR
Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th
Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access creden
Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to
Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a b
Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex
Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including fre
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today