CVE-2026-48759

Name of the Vulnerable Software and Affected Versions TypeBot versions prior to 3.16.0 Steeltoe (affected versions not specified)

Description TypeBot contains an Insecure Direct Object Reference (IDOR) issue—a flaw where an application provides direct access to objects based on user-supplied input—allowing authenticated users to modify or delete theme templates from other workspaces. The handleSaveThemeTemplate and handleDeleteThemeTemplate handlers verify that a user is a non-guest member of a workspace, but the subsequent Prisma queries using themeTemplateId fail to include the workspaceId in the filter, enabling unauthorized cross-workspace actions. Template IDs may be exposed through network traffic or shared typebots.

Steeltoe writes TLS private keys to the /tmp directory, exposing sensitive data and compromising the integrity and privacy of data in transit.

Recommendations Update to version 3.16.0. At the moment, there is no information about a newer version that contains a fix for this vulnerability.