CVE-2026-28444

Published: May 22, 2026

Modified: May 22, 2026

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLogs API endpoint authorizes the caller against the provided typebotId but fetches logs solely by resultId without verifying that the result belongs to the authorized typebot, leading to IDOR. An authenticated attacker can supply their own typebotId alongside any victim's resultId to read execution logs from other workspaces, leaking sensitive data including HTTP response bodies, AI model outputs, and webhook payloads. Every other result-scoped endpoint in the same router properly validates that the resultId belongs to the authorized typebotId. This confirms the missing check is an oversight, not a design choice. This issue has been fixed in version 3.15.2.

Vendor	Product	Versions
baptisteArno	typebot.io	affected `< 3.16.0`

Weaknesses (CWE)

CWE-639

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-c63p-mqx5-75r7

x_refsource_CONFIRM

https://github.com/baptisteArno/typebot.io/commit/d82b2d47c86ae614a08d4073c669ca64442faff2

x_refsource_MISC

https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-28444

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References