The getLinkedTypebots API endpoint in TypeBot versions prior to 3.16.0 exposes a flaw where the authorization check relies on Array.filter() with an async callback. Since filter executes synchronously, the callback returns a Promise that evaluates truthy, so the permission check is never applied. Any authenticated user can provide a bot ID from another workspace and receive the full bot definition, including conversation blocks, logic flows, stored variable values, webhook URLs, and embedded credentials or PII. This constitutes an IDOR that can be abused to exfiltrate sensitive information from private bots of other workspaces.

The affected product is TypeBot, a chatbot builder tool by typebot.io. Versions affected are 3.15.2, and any earlier releases prior to the 3.16.0 fix. The issue was officially fixed in release 3.16.0.

The vulnerability carries a CVSS score of 6.5, indicating moderate severity. No EPSS score is published and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated user, but once authenticated they can retrieve the full definition of any bot in other workspaces by referencing its ID in a Typebot Link block. The attack vector is inferred to be an authenticated request to the getLinkedTypebots endpoint with a foreign bot ID; the description explicitly notes that any authenticated Typebot user can read private bot definitions, illustrating that the flaw is exploitable by ordinary users with valid credentials.