PT-2026-42824 · Typebot · Typebot

·

CVE-2026-39967

·

Published

2026-05-22

·

Updated

2026-05-23

CVSS v3.1

3.1

Low

VectorAV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Name of the Vulnerable Software and Affected Versions TypeBot versions prior to 3.16.0
Description An issue in the bot engine's findResult query fails to filter results by typebotId. This allows an authenticated user to load result data, including user answers and variable values, from a different typebot by providing a foreign resultId to the 'startChat' endpoint. Successful exploitation can expose personally identifiable information (PII) such as names, emails, and phone numbers, as well as session variable values and the hasStarted flag. Exploitation requires rememberUser to be enabled and matching variable names in the current typebot. The use of CUID2 (cryptographically random 24-character IDs) makes brute-forcing the resultId infeasible.
Recommendations Update to version 3.16.0.

Exploit

Fix

Missing Authorization

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-39967
GHSA-F475-7M4X-M6MX

Affected Products

Typebot