PT-2026-42821 · Typebot · Typebot

Enestayboga

·

Published

2026-05-22

·

Updated

2026-05-23

·

CVE-2026-39968

CVSS v3.1

7.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Name of the Vulnerable Software and Affected Versions TypeBot versions prior to 3.15.3
Description An incomplete fix in the bot-engine runtime allows authenticated users to use credentials from any workspace via the preview chat endpoint. The getCredentials() utility function employs a falsy check for workspace ownership validation. Because the preview endpoint accepts a client-controlled workspaceId field and the Zod schema allows empty strings, providing workspaceId: "" bypasses credential ownership verification. This can lead to credential exfiltration, external service abuse, financial damage, and data breaches.
Recommendations Update to a version later than 3.15.2.

Exploit

Fix

Improper Access Control

IDOR

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-39968
GHSA-CQ66-9CWR-X8JR

Affected Products

Typebot