PT-2026-42825 · Typebot · Typebot
Published
2026-05-22
·
Updated
2026-05-23
·
CVE-2026-39969
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
TypeBot versions prior to 3.17.0
Description
The WhatsApp Cloud API webhook endpoint 'POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook' fails to verify the
x-hub-signature-256 HMAC signature provided by Meta. Because the workspaceId and credentialsId path parameters are often logged in web server access logs or visible in configuration dashboards, an unauthenticated attacker can send spoofed webhook messages. This allows the attacker to trigger bot flows, consume API resources, and interact with external services using the credentials of the workspace owner.Recommendations
Update to version 3.17.0.
Exploit
Fix
Insufficient Verification of Data Authenticity
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Typebot