IDOR Vulnerability in Typebot Chatbot Builder Tool
CVE-2026-28444

6.5MEDIUM

Key Information:

Vendor

Baptistearno

Status
Typebot.io
Vendor
CVE Published:
22 May 2026

What is CVE-2026-28444?

Typebot, a popular chatbot builder tool, has a vulnerability present in versions 3.15.2 and earlier, wherein the getResultLogs API endpoint fails to adequately verify that the resultId belongs to the authorized typebotId provided by the caller. This oversight allows authenticated attackers to exploit the vulnerability by supplying their own typebotId along with any resultId from another user's workspace. Consequently, attackers can gain unauthorized access to sensitive execution logs, including HTTP response bodies, AI model outputs, and webhook payloads, leading to potential data breaches. It's important to note that all other result-scoped endpoints properly validate resultId against the authorized typebotId, indicating that this is a flaw in checks rather than a design intent. An upgrade to version 3.16.0 addresses this issue.

Affected Version(s)

typebot.io < 3.16.0

References

https://github.com/baptisteArno/typebot.io/security/advis...
x_refsource_CONFIRM
https://github.com/baptisteArno/typebot.io/commit/d82b2d4...
x_refsource_MISC
https://github.com/baptisteArno/typebot.io/releases/tag/v...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.