PT-2026-42825 · Typebot · Typebot

Published

2026-05-22

·

Updated

2026-05-23

·

CVE-2026-39969

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions TypeBot versions prior to 3.17.0
Description The WhatsApp Cloud API webhook endpoint 'POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook' fails to verify the x-hub-signature-256 HMAC signature provided by Meta. Because the workspaceId and credentialsId path parameters are often logged in web server access logs or visible in configuration dashboards, an unauthenticated attacker can send spoofed webhook messages. This allows the attacker to trigger bot flows, consume API resources, and interact with external services using the credentials of the workspace owner.
Recommendations Update to version 3.17.0.

Exploit

Fix

Insufficient Verification of Data Authenticity

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-39969
GHSA-8VQP-R5W7-V47F

Affected Products

Typebot