CVE-2026-39965 Overview
CVE-2026-39965 is a Server-Side Request Forgery (SSRF) vulnerability in TypeBot, an open-source chatbot builder. The flaw affects versions 3.15.2 and prior. The HTTP Request block and Code block validate the initial request URL through validateHttpReqUrl() to block private IPs and cloud metadata hostnames. However, the underlying HTTP clients (ky and fetch) follow 302 redirects without re-validating the destination. Authenticated users can abuse this bypass to reach internal services from the TypeBot server. The issue is tracked under [CWE-918] and was fixed in version 3.16.0.
Critical Impact
Authenticated attackers can extract AWS IAM credentials from the instance metadata service at 169.254.169.254, probe internal APIs, and access container-internal services normally inaccessible from the internet.
Affected Products
- TypeBot versions 3.15.2 and prior
- TypeBot HTTP Request block component
- TypeBot Code block component
Discovery Timeline
- 2026-05-22 - CVE CVE-2026-39965 published to NVD
- 2026-05-22 - Last updated in NVD database
Technical Details for CVE-2026-39965
Vulnerability Analysis
The vulnerability resides in TypeBot's outbound HTTP handling logic. When a bot workflow includes an HTTP Request or Code block, TypeBot invokes validateHttpReqUrl() on the user-supplied URL. This validator blocks private RFC1918 addresses, loopback ranges, and known cloud metadata hostnames such as 169.254.169.254.
The validation occurs only once, against the initial URL. After validation, the request is dispatched through the ky HTTP client or native fetch. Both clients transparently follow HTTP 302 redirects. The redirect target is never re-evaluated against the SSRF allowlist.
An authenticated TypeBot user configures a bot block to call an attacker-controlled endpoint on the public internet. The validator accepts the URL because the hostname resolves to a public IP. The attacker server replies with HTTP 302 Location: http://169.254.169.254/latest/meta-data/iam/security-credentials/. The TypeBot server follows the redirect and returns the response body to the workflow.
Root Cause
The root cause is incomplete URL validation across the redirect chain. The application enforces destination policy at request initiation but delegates redirect handling to libraries that do not honor that policy. This is a classic SSRF allowlist bypass pattern documented under [CWE-918].
Attack Vector
Exploitation requires an authenticated TypeBot account with permission to create or edit workflows. The attacker hosts a public HTTP server that returns 302 responses targeting internal resources. They configure a bot block to call this server, then trigger the workflow. The TypeBot server follows the redirect and exfiltrates internal responses, including cloud IAM credentials, into the workflow output.
The vulnerability described in this advisory is an SSRF via open redirect bypass. No verified proof-of-concept code is available in the referenced advisories. Refer to the GitHub Security Advisory GHSA-jxv3-m939-w95c for additional technical context.
Detection Methods for CVE-2026-39965
Indicators of Compromise
- Outbound HTTP requests from TypeBot server processes to 169.254.169.254 or other link-local addresses
- TypeBot server connections to RFC1918 private subnets that do not match expected backend services
- HTTP 302 responses received by TypeBot from external hosts immediately followed by requests to internal IPs
- Unexpected AWS IAM credential usage from instance roles associated with TypeBot infrastructure
Detection Strategies
- Inspect TypeBot application logs for HTTP Request block executions where the final response URL differs from the user-supplied URL
- Correlate egress firewall logs with TypeBot workflow execution timestamps to identify redirects into internal ranges
- Monitor cloud audit logs (AWS CloudTrail, Azure Activity Log, GCP Audit Logs) for API calls using credentials tied to the TypeBot host role from unexpected source IPs
Monitoring Recommendations
- Enforce egress filtering at the network layer to block TypeBot servers from reaching metadata endpoints and unrelated internal subnets
- Enable Instance Metadata Service v2 (IMDSv2) on AWS to require session tokens for metadata access
- Alert on any process on the TypeBot host initiating connections to 169.254.169.254, 127.0.0.1, or internal management ports
How to Mitigate CVE-2026-39965
Immediate Actions Required
- Upgrade TypeBot to version 3.16.0 or later, which re-validates URLs across the entire redirect chain
- Rotate any cloud IAM credentials associated with the TypeBot host instance role if exposure is suspected
- Audit existing bot workflows for HTTP Request and Code blocks pointing to unfamiliar external endpoints
Patch Information
The maintainers fixed the issue in TypeBot version 3.16.0. The patch ensures that URL validation is applied to redirect targets, not only to the initial request URL. See the GitHub Release v3.16.0 for release notes and upgrade instructions.
Workarounds
- Restrict TypeBot egress traffic through a proxy that blocks RFC1918 ranges and 169.254.169.254
- Require IMDSv2 on AWS EC2 instances hosting TypeBot to prevent unauthenticated metadata retrieval
- Limit authenticated TypeBot user permissions so untrusted users cannot create or modify HTTP Request and Code blocks
# Configuration example: enforce IMDSv2 on the TypeBot EC2 host
aws ec2 modify-instance-metadata-options \
--instance-id i-0123456789abcdef0 \
--http-tokens required \
--http-endpoint enabled \
--http-put-response-hop-limit 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

