Enestayboga

**Name of the Vulnerable Software and Affected Versions** TypeBot versions prior to 3.15.3 **Description** An incomplete fix in the bot-engine runtime allows authenticated users to use credentials from any workspace via the preview chat endpoint. The `getCredentials()` utility function employs a falsy check for workspace ownership validation. Because the preview endpoint accepts a client-controlled `workspaceId` field and the Zod schema allows empty strings, providing `workspaceId: ""` bypasses credential ownership verification. This can lead to credential exfiltration, external service abuse, financial damage, and data breaches. **Recommendations** Update to a version later than 3.15.2.

**Name of the Vulnerable Software and Affected Versions** TypeBot versions prior to 3.16.0 **Description** An issue in the bot engine's `findResult` query fails to filter results by `typebotId`. This allows an authenticated user to load result data, including user answers and variable values, from a different typebot by providing a foreign `resultId` to the 'startChat' endpoint. Successful exploitation can expose personally identifiable information (PII) such as names, emails, and phone numbers, as well as session variable values and the `hasStarted` flag. Exploitation requires `rememberUser` to be enabled and matching variable names in the current typebot. The use of CUID2 (cryptographically random 24-character IDs) makes brute-forcing the `resultId` infeasible. **Recommendations** Update to version 3.16.0.