Server-Side Request Forgery Vulnerability in TypeBot by Baptiste Arno
CVE-2026-34207

7.6HIGH

Key Information:

Vendor

Baptistearno

Status
Typebot.io
Vendor
CVE Published:
22 May 2026

What is CVE-2026-34207?

TypeBot, a chatbot builder tool developed by Baptiste Arno, contains a vulnerability related to server-side request forgery (SSRF) that compromises the webhook and HTTP request validation process. The SSRF protection mechanism only validates the URL string without resolving DNS before permitting the request, allowing potentially malicious hostnames that resolve to local or private network addresses to bypass security checks. This can lead to unauthorized access to local services or sensitive data. To mitigate this issue, users are urged to update to version 3.16.0 or later, where this vulnerability has been effectively resolved.

Affected Version(s)

typebot.io < 3.16.0

References

https://github.com/baptisteArno/typebot.io/security/advis...
x_refsource_CONFIRM
https://github.com/baptisteArno/typebot.io/commit/23818bb...
x_refsource_MISC
https://github.com/baptisteArno/typebot.io/releases/tag/v...
x_refsource_MISC

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.