CVE-2026-33712 Overview
CVE-2026-33712 is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in Typebot, an open-source chatbot builder. The flaw affects versions 3.15.2 and prior. The preview chat endpoint POST /api/v1/typebots/{typebotId}/preview/startChat accepts custom typebot definitions containing server-side code blocks. The fetch function exposed inside the isolated-vm sandbox invokes Node.js native fetch without invoking the validateHttpReqUrl SSRF guard that protects the HTTP Request block. Attackers can pivot to cloud metadata services, internal network resources, and exfiltrate data from self-hosted and hosted Typebot deployments. The issue is fixed in version 3.16.0.
Critical Impact
Unauthenticated attackers can reach internal services, steal cloud instance credentials, and exfiltrate sensitive data through the sandbox fetch bypass.
Affected Products
- Typebot versions 3.15.2 and prior
- Self-hosted Typebot deployments
- Hosted Typebot services
Discovery Timeline
- 2026-05-22 - CVE-2026-33712 published to NVD
- 2026-05-22 - Last updated in NVD database
Technical Details for CVE-2026-33712
Vulnerability Analysis
The vulnerability resides in the preview chat startup flow exposed through POST /api/v1/typebots/{typebotId}/preview/startChat. The endpoint accepts a caller-supplied typebot definition, which can include server-side script blocks executed inside an isolated-vm sandbox. The sandbox exposes a fetch binding that maps directly to Node.js native fetch. Earlier SSRF hardening tracked in GHSA-8gq9-rw7v-3jpr added the validateHttpReqUrl check to the HTTP Request block, but the same guard was never wired into the sandbox fetch binding. This mismatch creates a parallel egress path that ignores deny-listed hosts and private address ranges. The weakness is classified as Missing Authorization [CWE-862] because the endpoint does not require authentication before executing attacker-controlled code that triggers outbound requests.
Root Cause
The root cause is inconsistent enforcement of URL validation across server-side egress primitives. The HTTP Request block routes through a validated wrapper, while the sandbox fetch calls Node.js fetch directly. Combined with an unauthenticated preview endpoint that accepts arbitrary bot definitions, the gap permits attacker-controlled URLs to reach any reachable host.
Attack Vector
An unauthenticated attacker sends a crafted request to the preview endpoint with a typebot definition containing a server-side code block. The block calls fetch against internal IP ranges, cloud metadata endpoints such as 169.254.169.254, or other private services. Response data flows back through the chat session, enabling credential theft and reconnaissance of internal infrastructure.
The public advisory does not publish proof-of-concept code. Refer to the GitHub Security Advisory GHSA-vc2q-r6rq-ggj9 for the vendor's technical writeup.
Detection Methods for CVE-2026-33712
Indicators of Compromise
- Unauthenticated POST requests to /api/v1/typebots/{typebotId}/preview/startChat containing inline server-side code blocks
- Outbound connections from the Typebot host to cloud metadata addresses such as 169.254.169.254 or metadata.google.internal
- Anomalous egress from Typebot processes to RFC1918 ranges or internal service ports
Detection Strategies
- Inspect application logs for preview chat requests carrying script blocks that reference fetch with non-public URLs
- Correlate Typebot process network telemetry with destinations outside the expected SaaS or webhook allowlist
- Alert on Typebot-originating HTTP requests that return AWS, GCP, or Azure metadata response signatures
Monitoring Recommendations
- Capture egress flow logs from Typebot workloads and baseline normal destinations
- Enable cloud provider IMDSv2 or equivalent and log all metadata service queries
- Forward Typebot API access logs to a centralized analytics platform for query against the indicators above
How to Mitigate CVE-2026-33712
Immediate Actions Required
- Upgrade Typebot to version 3.16.0 or later on all self-hosted instances
- Audit recent access logs for /api/v1/typebots/*/preview/startChat requests containing server-side code blocks
- Rotate cloud credentials and API keys reachable from the Typebot host if exploitation is suspected
Patch Information
The vendor released the fix in Typebot v3.16.0. Details are documented in GitHub Security Advisory GHSA-vc2q-r6rq-ggj9. The patch routes the sandbox fetch binding through the same validateHttpReqUrl validation that protects the HTTP Request block.
Workarounds
- Place the Typebot service behind an egress proxy that denies traffic to RFC1918 ranges and cloud metadata endpoints
- Enforce IMDSv2 on AWS instances to block SSRF-based credential retrieval
- Restrict the preview endpoint at the reverse proxy layer to authenticated administrators until upgrade is complete
# Example egress restriction using iptables to block metadata service access
iptables -A OUTPUT -m owner --uid-owner typebot -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -m owner --uid-owner typebot -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner typebot -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner typebot -d 192.168.0.0/16 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

