PT-2026-42824 · Typebot · Typebot
CVSS v3.1
3.1
Low
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
TypeBot versions prior to 3.16.0
Description
An issue in the bot engine's
findResult query fails to filter results by typebotId. This allows an authenticated user to load result data, including user answers and variable values, from a different typebot by providing a foreign resultId to the 'startChat' endpoint. Successful exploitation can expose personally identifiable information (PII) such as names, emails, and phone numbers, as well as session variable values and the hasStarted flag. Exploitation requires rememberUser to be enabled and matching variable names in the current typebot. The use of CUID2 (cryptographically random 24-character IDs) makes brute-forcing the resultId infeasible.Recommendations
Update to version 3.16.0.
Exploit
Fix
Missing Authorization
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Typebot