CVE-2026-33712 - Vulnerability Details

- TypeBot: Unauthenticated SSRF via isolated-vm fetch in preview chat endpoint bypasses SSRF controls

Description

Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST /api/v1/typebots/{typebotId}/preview/startChat) allows unauthenticated users to achieve Server-Side Request Forgery (SSRF) by supplying a custom typebot definition with server-side code blocks. The fetch function exposed inside the isolated-vm sandbox calls Node.js native fetch without the SSRF validation (validateHttpReqUrl) that protects the HTTP Request block. This bypasses all SSRF mitigations added after GHSA-8gq9-rw7v-3jpr. Exploitation of this unauthenticated SSRF vulnerability can lead to cloud credential theft, internal network access and data exfiltration for any self-hosted Typebot deployments and hosted services. This issue has been fixed in version 3.16.0.

Published: 2026-05-22

Score: 10 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In Typebot versions 3.15.2 and earlier, the preview chat endpoint accepts a custom typebot definition that can include server‑side code blocks. The fetch function executed inside an isolated‑VM sandbox calls Node.js native fetch, bypassing the SSRF validation used by the HTTP Request block. This flaw is classified as a Server‑Side Request Forgery and is identified by CWE-918 and CWE‑862. Exploiting the vulnerability allows an unauthenticated user to make arbitrary outbound HTTP requests, potentially leaking cloud credentials, gaining internal network access, or exfiltrating sensitive data.

Affected Systems

The affected product is Typebot, developed by baptisteArno. Any self‑hosted or hosted deployment running version 3.15.2 or earlier is vulnerable; the issue is resolved in version 3.16.0.

Risk and Exploitability

The CVSS score for this flaw is 10, indicating critical severity. No EPSS score is publicly available, but the absence of a KEV listing does not reduce the potential impact. The attack path requires no special credentials and only an unauthenticated POST to the preview chat endpoint, making the vulnerability highly exploitable in cloud and internal environments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

baptisteArno

typebot.io

affected

Version	Status	Constraints
`< 3.16.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Typebot to version 3.16.0 or later
Restrict use of the preview chat endpoint to authenticated users only or disable the endpoint altogether
Apply network segmentation or firewall rules to block unintended outbound connections from the server running Typebot

Generated by OpenCVE AI on May 22, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0
https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-vc2q-r6rq-ggj9

History

Fri, 22 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 22 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST /api/v1/typebots/{typebotId}/preview/startChat) allows unauthenticated users to achieve Server-Side Request Forgery (SSRF) by supplying a custom typebot definition with server-side code blocks. The fetch function exposed inside the isolated-vm sandbox calls Node.js native fetch without the SSRF validation (validateHttpReqUrl) that protects the HTTP Request block. This bypasses all SSRF mitigations added after GHSA-8gq9-rw7v-3jpr. Exploitation of this unauthenticated SSRF vulnerability can lead to cloud credential theft, internal network access and data exfiltration for any self-hosted Typebot deployments and hosted services. This issue has been fixed in version 3.16.0.
Title		TypeBot: Unauthenticated SSRF via isolated-vm fetch in preview chat endpoint bypasses SSRF controls
Weaknesses		CWE-862 CWE-918
References		https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0 https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-vc2q-r6rq-ggj9
Metrics		cvssV3_1 `{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-22T16:50:04.569Z

Updated: 2026-05-22T17:19:14.917Z

Reserved: 2026-03-23T17:06:05.747Z

Link: CVE-2026-33712

Vulnrichment

Updated: 2026-05-22T17:19:09.866Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-22T18:30:42Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object