Typebot CVE-2026-48768
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
Unauthenticated network endpoint (AV:N/AC:L/PR:N/UI:N); cross-tenant write into a separate security authority gives S:C and I:H; minor C:L from key enumeration; no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
TypeBot is a chatbot builder tool. In versions 3.16.1 and earlier, POST /api/blocks/file-input/v3/generate-upload-url is unauthenticated and uses unsanitized fileName input to construct public/ S3 object keys, while issuing presigned PUT URLs that do not bind Content-Type. As a result, any anonymous visitor to a published bot with a file input can upload attacker-controlled HTML, SVG, or JS to attacker-chosen subpaths, including other tenants’ publicly served result paths, enabling arbitrary content hosting and potential stored XSS on the storage origin. ../ traversal is blocked by S3/MinIO canonicalization (signature mismatch), but forward-slash path injection is exploitable. This issue has been fixed in version 3.17.0.
AnalysisAI
Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visitors of any published bot containing a file-input block to write attacker-controlled HTML, SVG, or JavaScript into arbitrary subpaths of the shared public S3 bucket. The flaw stems from an unauthenticated presigned-URL endpoint that trusts a raw fileName parameter and does not bind Content-Type, enabling stored XSS on the storage origin and content hosting under other tenants' result paths. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the target Typebot instance to have at least one published bot containing a file-input block (v3) whose generate-upload-url endpoint is reachable; no authentication, no user interaction, and no admin access are required, consistent with PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely aligned toward real priority: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N gives a pre-auth, low-complexity, no-interaction network attack, S:C captures the cross-tenant pivot, and I:H reflects the ability to write arbitrary files into another tenant's content path; C:L and A:N correctly reflect that this is a write/integrity primitive, not data exfiltration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker browses any internet-reachable Typebot instance, finds or generates a published bot URL that includes a file-input block, and calls the public generate-upload-url endpoint with a crafted fileName like 'public/<victim-workspace>/results/<victim-bot>/poc.html'. The server returns a presigned PUT URL targeting that key; the attacker PUTs an HTML or SVG payload (Content-Type is not bound by the signature) and links victims to the now-attacker-controlled URL under the victim tenant's path, triggering stored XSS or hosted phishing on the storage origin. |
| Remediation | Vendor-released patch: 3.17.0 - upgrade to https://github.com/baptisteArno/typebot.io/releases/tag/v3.17.0, which is the primary fix and resolves both the fileName sanitization and the missing Content-Type binding on presigned URLs. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all Typebot.io deployments and identify instances running version 3.16.1 or earlier; immediately disable file-input blocks in all published bots. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Typebot Io
View allServer-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers
Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collabor
Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to
Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared
Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe
Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSR
Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th
Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access creden
Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to
Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a b
Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex
Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including fre
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today