PT-2026-42797 · Typebot · Typebot

Published

2026-05-22

·

Updated

2026-05-22

·

CVE-2026-28444

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Typebot versions prior to 3.15.2
Description An Insecure Direct Object Reference (IDOR) exists in the chatbot builder tool. The 'getResultLogs' API endpoint authorizes the caller using the typebotId but retrieves logs based only on the resultId without verifying that the result is associated with the authorized typebot. This allows an authenticated attacker to use their own typebotId and a victim's resultId to access execution logs from other workspaces, potentially leaking sensitive data such as HTTP response bodies, AI model outputs, and webhook payloads.
Recommendations Update to version 3.15.2.

Exploit

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-28444
GHSA-C63P-MQX5-75R7

Affected Products

Typebot