Skip to main content

Typebot CVE-2026-48764

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-17 GitHub_M
8.2
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
8.2 HIGH

Remote unauthenticated SSRF via DNS rebinding against public bot URL inputs; high confidentiality from metadata/credential disclosure, low integrity via internal POST endpoints, no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 00:00 vuln.today
Analysis Generated
Jun 18, 2026 - 00:00 vuln.today

DescriptionCVE.org

TypeBot is a chatbot builder tool. In versions prior to 3.17.2, SSRF validation is implemented by resolving a hostname once and checking whether the resolved IP belongs to a forbidden range allowing for DNS rebinding bypass. The root cause is a time-of-check to time-of-use gap in the SSRF guard. The validator resolves the hostname and approves it, but the later request path performs a fresh resolution and connects to whatever IP the hostname maps to at that moment. The actual outbound request is then performed later using the original hostname, without pinning the validated IP to the network connection. An attacker who can supply a URL to a public bot that performs a server-side HTTP Request block or server-side script fetch can use DNS rebinding to pass the initial validation and still force the server to connect to a private or metadata address during the real request. This enables server-side access to private network services, cloud metadata endpoints, and other internal HTTP targets that the validator was intended to block. The exact downstream impact depends on the reachable internal services. Concrete consequences include metadata disclosure, access to internal admin panels, credential theft from metadata services, and further compromise through internal-only HTTP interfaces. This issue has been fixed in version 3.17.2.

AnalysisAI

Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to bypass SSRF protections via DNS rebinding, reaching internal services and cloud metadata endpoints. The validator resolves a hostname once for allowlist checks, but the subsequent HTTP request performs a fresh DNS resolution without IP pinning, creating a time-of-check to time-of-use (TOCTOU) gap. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify public Typebot bot with HTTP Request block
Delivery
Set up DNS rebinding server with low TTL
Exploit
Submit attacker-controlled URL to bot
Install
Validator resolves to public IP and approves
C2
HTTP client re-resolves to 169.254.169.254
Execute
Server fetches cloud metadata IAM credentials
Impact
Exfiltrate credentials via bot response

Vulnerability AssessmentAI

Exploitation Requires a publicly reachable Typebot instance running a version prior to 3.17.2 that exposes a bot configured with either a server-side HTTP Request block or a server-side script fetch primitive, and where the attacker can supply or influence the URL passed to that block. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) reflects an unauthenticated network-reachable attack against any publicly exposed Typebot instance that exposes a bot capable of HTTP Request blocks or server-side script fetches. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or interacts with a public Typebot bot that uses an HTTP Request block, supplies a URL pointing to an attacker-controlled domain whose DNS server alternates responses between a public IP (passes validation) and 169.254.169.254 (returned at fetch time). Typebot's validator approves the hostname against its first resolution, then the HTTP client re-resolves and connects to the AWS metadata service, returning IAM role credentials to the attacker via the bot's response. …
Remediation Vendor-released patch: upgrade Typebot to version 3.17.2 or later (https://github.com/baptisteArno/typebot.io/releases/tag/v3.17.2), which adds IP pinning between validation and request execution and additionally blocks IPv6 unspecified address variants (commit f56c3c3f771df13a8c11e88f500dfdd78981bed1). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Typebot deployments and assess their network exposure; implement immediate network segmentation to block outbound connections from Typebot to cloud metadata service ranges (169.254.169.254/32 for AWS, equivalent for other cloud providers) and internal IP ranges; enable egress monitoring. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33712 CRITICAL
10.0 May 22

Server-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers

CVE-2026-48768 CRITICAL
9.3 Jun 17

Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visi

CVE-2026-28445 HIGH
8.7 May 22

Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collabor

CVE-2026-49213 HIGH
8.1 Jul 10

Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared

CVE-2026-39965 HIGH
7.7 May 22

Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe

CVE-2026-34207 HIGH
7.6 May 22

Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSR

CVE-2026-48759 HIGH
7.1 Jun 17

Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th

CVE-2026-39968 HIGH
7.1 May 22

Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access creden

CVE-2026-39969 MEDIUM
6.5 May 22

Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to

CVE-2026-39966 MEDIUM
6.5 May 22

Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a b

CVE-2026-28444 MEDIUM
6.5 May 22

Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex

CVE-2026-39964 MEDIUM
5.4 May 22

Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including fre

Share

CVE-2026-48764 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy