PT-2026-42802 · Typebot · Typebot

Published

2026-05-22

·

Updated

2026-05-22

·

CVE-2026-34207

CVSS v3.1

7.6

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Name of the Vulnerable Software and Affected Versions TypeBot versions prior to 3.16.0
Description TypeBot is a chatbot builder tool. The SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostname literals, and literal IP formats without resolving DNS before allowing the request. This allows a hostname that resolves to 127.0.0.1, 169.254.169.254, or RFC1918/private space to pass validation and be fetched by the backend HTTP client. This enables server-side request forgery (SSRF)—a flaw where an attacker can force the server to make requests to internal or unintended destinations—to loopback, cloud metadata, and private network targets.
Recommendations Update to version 3.16.0.

Exploit

Fix

RCE

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-34207
GHSA-GRCC-6X37-WWGP

Affected Products

Typebot