CVE-2026-39969 - Vulnerability Details

- TypeBot: WhatsApp Webhook Endpoint Missing Signature Verification

Description

TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint (POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook) does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both workspaceId and credentialsId as path parameters, which are logged in web server access logs, visible in Meta's webhook configuration dashboard, and potentially shared when configuring integrations. This allows any unauthenticated attacker to send spoofed webhook messages to trigger bot flows, consume API resources, and interact with external services using the workspace owner's credentials. The issue has been fixed in version 3.17.0.

Published: 2026-05-22

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is the absence of verification for the x‑hub‑signature‑256 header on the WhatsApp Cloud API webhook endpoint in TypeBot version 3.16.0 and earlier. Because the signature is not checked, an attacker can forge webhook requests to POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook. The forged payload triggers bot flows and causes the bot to perform actions using the workspace’s WhatsApp credentials, enabling the attacker to consume API resources or interact with other services as the legitimate owner.

Affected Systems

TypeBot is provided by baptisteArno under the package typebot.io. The webhook endpoint vulnerability applies to all versions 3.16.0 and earlier. The issue was fixed in release 3.17.0.

Risk and Exploitability

With a CVSS score of 6.5 this vulnerability is classified as medium severity. The EPSS score is not available, but the flaw can be exploited without authentication by sending a crafted HTTP POST to the exposed endpoint, so the practical risk remains high for installations that expose the webhook URL to the public internet. The vulnerability is not listed in CISA's KEV catalogue.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

baptisteArno

typebot.io

affected

Version	Status	Constraints
`< 3.17.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade TypeBot to version 3.17.0 or later to enable signature verification on the WhatsApp webhook endpoint.
Immediately revoke and rotate any WhatsApp Cloud API credentials that may have been exposed during the vulnerable period.
Ensure that workspaceId and credentialsId are no longer logged or displayed in public dashboards; where possible, place the webhook endpoint behind a firewall or restrict it to known Meta IP ranges.

Generated by OpenCVE AI on May 22, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/baptisteArno/typebot.io/releases/tag/v3.17.0
https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8vqp-r5w7-v47f

History

Sat, 23 May 2026 03:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 22 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Description		TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint (POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook) does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both workspaceId and credentialsId as path parameters, which are logged in web server access logs, visible in Meta's webhook configuration dashboard, and potentially shared when configuring integrations. This allows any unauthenticated attacker to send spoofed webhook messages to trigger bot flows, consume API resources, and interact with external services using the workspace owner's credentials. The issue has been fixed in version 3.17.0.
Title		TypeBot: WhatsApp Webhook Endpoint Missing Signature Verification
Weaknesses		CWE-287 CWE-345
References		https://github.com/baptisteArno/typebot.io/releases/tag/v3.17.0 https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8vqp-r5w7-v47f
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-22T18:43:39.039Z

Updated: 2026-05-23T02:35:40.152Z

Reserved: 2026-04-08T00:01:47.627Z

Link: CVE-2026-39969

Vulnrichment

Updated: 2026-05-23T02:35:32.464Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-22T21:00:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object