Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-34207

CVE-2026-34207: TypeBot Chatbot Builder SSRF Vulnerability

CVE-2026-34207 is a server-side request forgery flaw in TypeBot chatbot builder that bypasses URL validation through DNS resolution. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2026-34207 Overview

CVE-2026-34207 is a Server-Side Request Forgery (SSRF) vulnerability in TypeBot, an open-source chatbot builder tool. The flaw affects all versions prior to 3.16.0 and resides in the Webhook and HTTP Request block validation logic. The SSRF protection only inspects the URL string and literal IP formats without resolving DNS before issuing the request. Attackers can supply a hostname that resolves to loopback addresses, cloud metadata endpoints, or RFC1918 private networks. The backend HTTP client then fetches the attacker-controlled internal target. The issue is tracked under [CWE-20] Improper Input Validation and was fixed in version 3.16.0.

Critical Impact

Authenticated attackers can pivot through TypeBot to access loopback services, cloud instance metadata (169.254.169.254), and internal private network resources.

Affected Products

  • TypeBot versions prior to 3.16.0
  • TypeBot Webhook blocks
  • TypeBot HTTP Request blocks

Discovery Timeline

  • 2026-05-22 - CVE-2026-34207 published to NVD
  • 2026-05-22 - Last updated in NVD database

Technical Details for CVE-2026-34207

Vulnerability Analysis

The vulnerability stems from incomplete SSRF defenses in TypeBot's HTTP request handling pipeline. The validation routine inspects the supplied URL as a string and rejects known-bad hostname literals and direct private IP formats. However, the check executes before any DNS resolution occurs. An attacker can register or control a hostname such as ssrf-repro.example and configure its DNS A record to point to 127.0.0.1, 169.254.169.254, or any RFC1918 address. TypeBot accepts the hostname as benign, then the backend HTTP client resolves the name and connects to the internal target. This mismatch between validation-time and request-time resolution creates a classic SSRF bypass.

Root Cause

The root cause is reliance on string-level URL inspection without correlating it to the address actually used by the HTTP client. The fix in version 3.16.0 introduces DNS resolution during validation and blocks requests that resolve to disallowed address ranges. Refer to the GitHub Security Advisory GHSA-grcc-6x37-wwgp and the GitHub Commit Update for the patch implementation.

Attack Vector

An authenticated TypeBot user creates a flow that includes a Webhook or HTTP Request block targeting an attacker-controlled hostname. The hostname's DNS record resolves to a sensitive internal address. When the bot executes, the TypeBot backend fetches the URL and returns response data to the attacker. This enables enumeration of internal services, retrieval of cloud instance metadata credentials, and interaction with otherwise unreachable HTTP endpoints inside the deployment network.

No verified public exploit code is available. See the GitHub Security Advisory GHSA-grcc-6x37-wwgp for full technical details.

Detection Methods for CVE-2026-34207

Indicators of Compromise

  • Outbound DNS queries from the TypeBot backend resolving to 127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
  • TypeBot HTTP client connections to cloud metadata endpoints such as http://169.254.169.254/latest/meta-data/.
  • Webhook or HTTP Request block configurations referencing unusual external hostnames followed by internal-bound traffic.

Detection Strategies

  • Inspect TypeBot application logs for Webhook and HTTP Request block executions targeting hostnames that resolve to private or loopback addresses.
  • Correlate egress proxy logs with TypeBot process activity to identify SSRF-style requests to metadata services.
  • Audit recent bot flow configurations for HTTP Request blocks added by low-privilege users referencing external domains.

Monitoring Recommendations

  • Route all outbound HTTP traffic from TypeBot through an egress proxy that enforces destination allowlists.
  • Alert on any TypeBot-originated request to 169.254.169.254 or RFC1918 ranges.
  • Enable network flow logging on the host running TypeBot to capture lateral connection attempts.

How to Mitigate CVE-2026-34207

Immediate Actions Required

  • Upgrade TypeBot to version 3.16.0 or later as documented in the GitHub Release v3.16.0.
  • Restrict who can create or modify Webhook and HTTP Request blocks to trusted operators.
  • Review existing flows for HTTP Request blocks pointing to externally controlled hostnames.

Patch Information

The vulnerability is resolved in TypeBot 3.16.0. The fix introduces DNS resolution prior to allowing outbound requests and rejects destinations that resolve to loopback, link-local, or private address space. Patch details are available in the GitHub Commit Update.

Workarounds

  • Place the TypeBot backend behind an egress firewall that blocks traffic to 127.0.0.0/8, 169.254.0.0/16, and RFC1918 ranges.
  • Disable IMDSv1 on cloud instances and enforce IMDSv2 with hop-limit 1 to prevent metadata theft via SSRF.
  • Run TypeBot in a network segment with no route to sensitive internal services until the upgrade is applied.
bash
# Example egress restriction using iptables on the TypeBot host
iptables -A OUTPUT -d 127.0.0.0/8 -m owner --uid-owner typebot -j REJECT
iptables -A OUTPUT -d 169.254.0.0/16 -m owner --uid-owner typebot -j REJECT
iptables -A OUTPUT -d 10.0.0.0/8 -m owner --uid-owner typebot -j REJECT
iptables -A OUTPUT -d 172.16.0.0/12 -m owner --uid-owner typebot -j REJECT
iptables -A OUTPUT -d 192.168.0.0/16 -m owner --uid-owner typebot -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.