Credential Theft Vulnerability in TypeBot Chatbot Builder by Baptiste Arno
CVE-2026-39968

7.1HIGH

Key Information:

Vendor

Baptistearno

Status
Typebot.io
Vendor
CVE Published:
22 May 2026

What is CVE-2026-39968?

The TypeBot chatbot builder tool has a significant vulnerability in versions prior to 3.16.0, where the measures implemented to address credential theft through client-side script execution and API authorization bypass are not sufficient. Specifically, while the builder's getCredentials tRPC endpoint has been improved with workspace membership checks, the associated bot-engine runtime still permits authenticated users to access credentials from any workspace via the preview chat endpoint. This flaw stems from improper workspace ownership validation due to a falsy check in the getCredentials() utility function. By providing a client-controlled workspaceId field that can be an empty string, attackers are able to circumvent the credential ownership verification entirely. Such exploitation could lead to unauthorized credential exfiltration, abuse of external services, financial implications, and potential data breaches.

Affected Version(s)

typebot.io < 3.16.0

References

https://github.com/baptisteArno/typebot.io/security/advis...
x_refsource_CONFIRM
https://github.com/baptisteArno/typebot.io/commit/d96f572...
x_refsource_MISC
https://github.com/baptisteArno/typebot.io/releases/tag/v...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.