CVE-2026-39968

HIGH EPSS 18.6%
Published May 22, 20261mo ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published May 22, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 ("Credential Theft via Client-Side Script Execution and API Authorization Bypass") is incomplete. While the builder's getCredentials tRPC endpoint was patched with workspace membership checks, the bot-engine runtime still allows any authenticated user to use credentials from any workspace via the preview chat endpoint. The bot-engine's getCredentials() utility function uses a falsy check (if (workspaceId && ...)) for workspace ownership validation. Since the preview endpoint accepts a client-controlled workspaceId field and the Zod schema allows empty strings, an attacker can supply workspaceId: "" to bypass credential ownership verification entirely. Exploitation can result in credential exfiltration, external service abuse, financial damage and a data breach.

CVSS Details

Base Score
7.1
Exploitability
2.8
Impact
4.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
18.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 3

CWE-284
CWE-522
CWE-639

References 3

  • github.com https://github.com/baptisteArno/typebot.io/commit/d96f572e6099c5f622c05ba7b8634e6477dcf052
  • github.com https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0
  • github.com https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-cq66-9cwr-x8jr

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.