Description
Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLogs API endpoint authorizes the caller against the provided typebotId but fetches logs solely by resultId without verifying that the result belongs to the authorized typebot, leading to IDOR. An authenticated attacker can supply their own typebotId alongside any victim's resultId to read execution logs from other workspaces, leaking sensitive data including HTTP response bodies, AI model outputs, and webhook payloads. Every other result-scoped endpoint in the same router properly validates that the resultId belongs to the authorized typebotId. This confirms the missing check is an oversight, not a design choice. This issue has been fixed in version 3.15.2.
Published: 2026-05-22
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the getResultLogs endpoint permits an authenticated attacker to read logs belonging to another typebot. The missing ownership check allows the attacker to supply a victim’s resultId along with their own typebotId and retrieve execution logs that may contain HTTP response bodies, AI model outputs, and webhook payloads. This is an IDOR weakness and results in inadvertent disclosure of potentially sensitive data. The flaw comes from the fact that the result‑scoped endpoint authenticates against typebotId but fails to confirm that the resultId belongs to the authorized typebotId.

Affected Systems

The affected product is Typebot, a chatbot builder tool produced by baptisteArno. Version 3.15.2 and earlier are vulnerable. The issue was fixed in 3.15.2, but the release notes indicate that 3.16.0 is available as a newer patch. Users running any version before 3.15.2 must update to a fixed release.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. An authenticated attacker could exploit this IDOR by using valid credentials for a workspace, then submitting a crafted request that swaps typebotId. The exploit requires only knowledge of a valid resultId, which is typically visible in API responses. Due to the lack of a check to confirm ownership, any authenticated user can read others’ logs, leading to a confidentiality breach.

Generated by OpenCVE AI on May 22, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 3.15.2 or later (for example, 3.16.0) to resolve the ownership check flaw.
  • If an upgrade cannot be performed immediately, restrict or disable access to the getResultLogs endpoint for users without explicit permissions.
  • Monitor API usage for abnormal cross‑workspace request patterns and review logs for unauthorized access attempts.

Generated by OpenCVE AI on May 22, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLogs API endpoint authorizes the caller against the provided typebotId but fetches logs solely by resultId without verifying that the result belongs to the authorized typebot, leading to IDOR. An authenticated attacker can supply their own typebotId alongside any victim's resultId to read execution logs from other workspaces, leaking sensitive data including HTTP response bodies, AI model outputs, and webhook payloads. Every other result-scoped endpoint in the same router properly validates that the resultId belongs to the authorized typebotId. This confirms the missing check is an oversight, not a design choice. This issue has been fixed in version 3.15.2.
Title Typebot: IDOR in Result Logs Endpoint Allows Cross-Workspace Data Disclosure
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-22T16:44:17.968Z

Reserved: 2026-02-27T15:54:05.140Z

Link: CVE-2026-28444

cve-icon Vulnrichment

Updated: 2026-05-22T16:43:21.254Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T17:30:06Z

Weaknesses