PT-2026-42797 · Typebot · Typebot
Published
2026-05-22
·
Updated
2026-05-22
·
CVE-2026-28444
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Typebot versions prior to 3.15.2
Description
An Insecure Direct Object Reference (IDOR) exists in the chatbot builder tool. The 'getResultLogs' API endpoint authorizes the caller using the
typebotId but retrieves logs based only on the resultId without verifying that the result is associated with the authorized typebot. This allows an authenticated attacker to use their own typebotId and a victim's resultId to access execution logs from other workspaces, potentially leaking sensitive data such as HTTP response bodies, AI model outputs, and webhook payloads.Recommendations
Update to version 3.15.2.
Exploit
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Typebot