Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-39968

CVE-2026-39968: TypeBot Authentication Bypass Vulnerability

CVE-2026-39968 is an authentication bypass flaw in TypeBot chatbot builder allowing attackers to access credentials from any workspace. This post covers technical details, affected versions, exploitation risks, and mitigation.

Published:

CVE-2026-39968 Overview

CVE-2026-39968 is a broken access control vulnerability [CWE-284] in TypeBot, an open-source chatbot builder. The flaw affects versions 3.15.2 and prior. It represents an incomplete fix for a previously disclosed issue tracked as GHSA-4xc5-wfwc-jw47. While the builder's getCredentials tRPC endpoint received workspace membership checks, the bot-engine runtime preview chat endpoint did not. Any authenticated user can supply an empty workspaceId to bypass credential ownership validation. Successful exploitation enables credential exfiltration, external service abuse, financial damage, and data breach.

Critical Impact

Authenticated attackers can use credentials stored in any workspace through the preview chat endpoint, enabling theft of API keys and abuse of integrated third-party services.

Affected Products

  • TypeBot versions 3.15.2 and prior
  • TypeBot bot-engine preview chat endpoint
  • TypeBot builder credential storage subsystem

Discovery Timeline

  • 2026-05-22 - CVE-2026-39968 published to NVD
  • 2026-05-26 - Last updated in NVD database

Technical Details for CVE-2026-39968

Vulnerability Analysis

The vulnerability resides in the bot-engine's getCredentials() utility function. This function performs workspace ownership validation using a falsy conditional check of the form if (workspaceId && ...). The preview chat endpoint accepts a client-controlled workspaceId field. The associated Zod schema permits empty strings as valid input.

When an attacker submits a request with workspaceId: "", the falsy check short-circuits. The ownership verification logic is skipped entirely. The runtime then loads and uses credentials from any workspace requested by the attacker.

This is the second iteration of the same class of bug. The earlier advisory GHSA-4xc5-wfwc-jw47 addressed the builder's tRPC getCredentials endpoint with proper membership checks. The bot-engine code path was not updated at that time, leaving the preview chat endpoint exposed.

Root Cause

The root cause is improper access control combined with permissive input validation. The Zod schema allows empty strings for workspaceId, and the conditional guard treats an empty string as a signal to skip authorization. Authentication alone is treated as sufficient, while authorization checks are bypassed.

Attack Vector

The attack requires network access and a valid authenticated session in the target TypeBot instance. The attacker crafts a preview chat request containing workspaceId: "" and the identifier of a credential belonging to another tenant. The bot-engine returns responses produced using the stolen credentials, enabling abuse of integrated services such as payment APIs, LLM providers, and SMTP relays.

typescript
 import { ORPCError } from "@orpc/server";
 import { authRouter } from "@typebot.io/auth/api/router";
 import { billingRouter } from "@typebot.io/billing/api/router";
+import { builderChatRouter } from "@typebot.io/bot-engine/api/router";
 import { publicProcedure } from "@typebot.io/config/orpc/builder/middlewares";
 import { featureFlagsRouter } from "@typebot.io/feature-flags/orpc/router";
 import { fileUploadBuilderRouter } from "@typebot.io/file-input-block/api/router";

Source: GitHub Commit d96f572. The patch routes preview chat through an authenticated builder router instead of the unauthenticated bot-engine path.

Detection Methods for CVE-2026-39968

Indicators of Compromise

  • Preview chat API requests containing workspaceId: "" or an omitted workspaceId field paired with a foreign credential identifier.
  • Unexpected outbound API calls from the TypeBot server to third-party services not configured in the requesting user's workspace.
  • Anomalous billing or usage spikes on integrated services such as OpenAI, Stripe, or SMTP providers tied to TypeBot credentials.

Detection Strategies

  • Inspect bot-engine access logs for /api/v1/sessions or preview chat routes where the request body contains an empty workspaceId.
  • Correlate authenticated user identifiers with the workspaceId of credentials referenced in chat session payloads to flag cross-tenant access.
  • Compare TypeBot version strings against version 3.16.0 to identify vulnerable deployments.

Monitoring Recommendations

  • Enable detailed request logging on the TypeBot bot-engine and forward logs to a centralized analytics platform.
  • Monitor third-party API usage metrics for credentials stored in TypeBot to detect abuse patterns.
  • Alert on any authenticated session that references credential IDs not owned by the session user.

How to Mitigate CVE-2026-39968

Immediate Actions Required

  • Upgrade TypeBot to version 3.16.0 or later, which routes preview chat through an authenticated builder router.
  • Rotate all credentials stored in TypeBot workspaces, including API keys, SMTP passwords, and OAuth tokens.
  • Review third-party service logs since deployment of any affected version for unauthorized usage.

Patch Information

The fix is published in TypeBot release v3.16.0. Refer to the GitHub Release Notes, the GitHub Security Advisory GHSA-cq66-9cwr-x8jr, and the GitHub Commit Log. The patch introduces a builderChatRouter and enforces authentication on the preview chat path.

Workarounds

  • Restrict network access to the TypeBot builder and bot-engine endpoints to trusted users only via VPN or IP allowlists.
  • Temporarily disable shared credential features by removing sensitive integrations from workspaces until the patch is applied.
  • Add a reverse proxy rule that rejects preview chat requests with an empty or missing workspaceId field.
bash
# Upgrade TypeBot to the patched release
git fetch --tags
git checkout v3.16.0
pnpm install
pnpm build
pnpm start

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.