Close Menu
    Subscribe
    Alerts

    CVE-2026-39965 | THREATINT

    adminBy No Comments1 Min Read


    Home

    Description

    TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain an SSRF via Open Redirect Bypass as the HTTP Request block and Code block validate the initial request URL via validateHttpReqUrl() to block private IPs and cloud metadata hostnames. However, the HTTP clients (ky and fetch) follow 302 redirects without re-validating the redirect destination. An authenticated user can point a bot block to an attacker-controlled server that responds with a redirect to an internal IP, causing the Typebot server to reach internal services. An authenticated Typebot user can reach AWS metadata (169.254.169.254), private subnets, and container-internal services. Exploitable to extract cloud IAM credentials or probe internal APIs inaccessible from the internet. This issue has been fixed in version 3.16.0.

    PUBLISHED Reserved 2026-04-08 | Published 2026-05-22 | Updated 2026-05-22 | Assigner GitHub_M

    HIGH: 7.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

    Problem types

    CWE-918: Server-Side Request Forgery (SSRF)

    Product status

    < 3.16.0
    affected

    References

    github.com/…bot.io/security/advisories/GHSA-jxv3-m939-w95c exploit

    github.com/…bot.io/security/advisories/GHSA-jxv3-m939-w95c

    github.com/baptisteArno/typebot.io/releases/tag/v3.16.0

    cve.org (CVE-2026-39965)

    nvd.nist.gov (CVE-2026-39965)

    Download JSON



    Source link

    Share.

    Related Posts

    Add A Comment

    Comments are closed.