Improper Access Control in TypeBot Chatbot Builder by Typebot.io
CVE-2026-39966

6.5MEDIUM

Key Information:

Vendor

Baptistearno

Status
Typebot.io
Vendor
CVE Published:
22 May 2026

What is CVE-2026-39966?

TypeBot, a chatbot builder tool, has reported an improper access control vulnerability that allows authenticated users to access sensitive information from other workspaces. The vulnerability arises from the getLinkedTypebots API endpoint, which fails to properly evaluate access control due to a flaw in its authorization check mechanism. This results in any authenticated user being able to retrieve full bot definitions—including conversation blocks, logic flows, variable values, and sensitive configurations—without the necessary permissions. The issue was resolved in version 3.16.0, and users are strongly encouraged to upgrade to protect their data.

Affected Version(s)

typebot.io < 3.16.0

References

https://github.com/baptisteArno/typebot.io/security/advis...
x_refsource_CONFIRM
https://github.com/baptisteArno/typebot.io/commit/b9530a0...
x_refsource_MISC
https://github.com/baptisteArno/typebot.io/releases/tag/v...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.