Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-39966

CVE-2026-39966: TypeBot Auth Bypass Vulnerability

CVE-2026-39966 is an authentication bypass vulnerability in TypeBot that allows authenticated users to access private bot definitions across workspaces. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-39966 Overview

CVE-2026-39966 is an authorization bypass vulnerability in Typebot, an open-source chatbot builder. The flaw resides in the getLinkedTypebots API endpoint in version 3.15.2. The endpoint returns complete bot definitions to any authenticated user who references a target bot ID in a Typebot Link block, ignoring workspace ownership. The defect is classified as [CWE-863] Incorrect Authorization. Maintainers fixed the issue in version 3.16.0.

Critical Impact

Any authenticated Typebot user can read private bots from other workspaces, including conversation logic, embedded variables, credentials, API keys, personally identifiable information (PII), webhook URLs, and integration configurations.

Affected Products

  • Typebot 3.15.2
  • Typebot self-hosted deployments running affected versions
  • Typebot cloud workspaces prior to the 3.16.0 release

Discovery Timeline

  • 2026-05-22 - CVE-2026-39966 published to the National Vulnerability Database (NVD)
  • 2026-05-22 - Last updated in NVD database

Technical Details for CVE-2026-39966

Vulnerability Analysis

The getLinkedTypebots endpoint loads bots referenced by ID inside a Typebot Link block. The code intended to filter the results so only bots whose workspace contained the requesting user were returned. Instead, the access control predicate never executes, exposing every requested bot regardless of ownership.

Returned objects include full groups, variables, and integration metadata. Variables in production bots often hold secrets such as API tokens, third-party credentials, and customer PII passed through chat sessions. Webhook URLs and configuration values exposed by this endpoint can be replayed against backend services.

Root Cause

The authorization check used Array.filter() with an async callback. Because filter() is synchronous, it evaluates the callback's return value directly. An async function always returns a Promise, and any non-null Promise is truthy. Every element therefore passes the filter, and the membership check on workspace.members is effectively a no-op.

This pattern is a recurring mistake in TypeScript and JavaScript codebases that mix async/await with synchronous higher-order array methods.

Attack Vector

An authenticated attacker creates a Typebot in their own workspace and adds a Typebot Link block referencing the target bot's ID. Calling getLinkedTypebots then returns the full target definition. No additional privileges, user interaction, or social engineering are required.

typescript
// Patch excerpt: apps/builder/src/features/blocks/logic/typebotLink/api/getLinkedTypebots.ts
// Fix authorization bypass in getLinkedTypebots (GHSA-3fr5-999r-84qj)

    if (!linkedTypebotIds.length) return { typebots: [] };

-    const typebots = (
-      await prisma.typebot.findMany({
-        where: {
-          isArchived: { not: true },
-          id: { in: linkedTypebotIds },
-        },
-        select: {
-          id: true,
-          version: true,
-          groups: true,
-          variables: true,
-          name: true,
-          createdAt: true,
-          workspace: {
-            select: {
-              isSuspended: true,
-              isPastDue: true,
-              members: {
-                select: {
-                  userId: true,
-                },
+    const fetchedTypebots = await prisma.typebot.findMany({
+      where: {
+        isArchived: { not: true },
+        id: { in: linkedTypebotIds },
+      },
+      select: {

Source: GitHub commit b9530a0

Detection Methods for CVE-2026-39966

Indicators of Compromise

  • Requests to the getLinkedTypebots tRPC or REST route referencing bot IDs not owned by the requester's workspace.
  • Unusual cross-workspace patterns where one account enumerates many typebotId values in rapid succession.
  • Application logs showing successful retrieval of bots whose workspaceId differs from the caller's active workspace.

Detection Strategies

  • Audit Typebot application logs and the reverse proxy in front of the builder for calls to getLinkedTypebots and correlate the responding bot IDs with the caller's workspace membership.
  • Compare database Typebot.workspaceId against the authenticated session workspace for each historical getLinkedTypebots request to identify retroactive access.
  • Hunt for authenticated accounts that created Typebot Link blocks referencing IDs outside their own workspace inventory.

Monitoring Recommendations

  • Enable verbose request logging on the Typebot builder API and forward to a centralized log store for retention.
  • Alert on response payloads from getLinkedTypebots that include variables or webhook fields belonging to non-owned workspaces.
  • Track outbound traffic from systems referenced in leaked webhook URLs for unexpected callers replaying captured endpoints.

How to Mitigate CVE-2026-39966

Immediate Actions Required

  • Upgrade self-hosted Typebot deployments to version 3.16.0 or later, which contains the patch from commit b9530a0.
  • Rotate any credentials, API keys, and webhook secrets that may have been embedded in bot variables on affected versions.
  • Review workspace audit data to identify any account that called getLinkedTypebots against bots it does not own.

Patch Information

The maintainer released the fix in Typebot v3.16.0. The change replaces the broken Array.filter() with an async callback pattern and enforces workspace membership before returning bot definitions. Full advisory details are published as GHSA-3fr5-999r-84qj.

Workarounds

  • Restrict Typebot builder access to trusted users only until the upgrade to 3.16.0 is complete.
  • Remove sensitive values such as API keys and PII from bot variables, keeping secrets in server-side integrations referenced indirectly.
  • Place the Typebot builder API behind a network policy or reverse proxy that blocks the getLinkedTypebots route for untrusted tenants.
bash
# Verify the running Typebot version and upgrade via Docker Compose
docker compose pull
docker compose exec builder node -e "console.log(require('./package.json').version)"
# Expected output: 3.16.0 or later
docker compose up -d

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.