Description
TypeBot is a chatbot builder tool. In versions 3.16.1 and earlier, POST /api/blocks/file-input/v3/generate-upload-url is unauthenticated and uses unsanitized fileName input to construct public/ S3 object keys, while issuing presigned PUT URLs that do not bind Content-Type. As a result, any anonymous visitor to a published bot with a file input can upload attacker-controlled HTML, SVG, or JS to attacker-chosen subpaths, including other tenants’ publicly served result paths, enabling arbitrary content hosting and potential stored XSS on the storage origin. ../ traversal is blocked by S3/MinIO canonicalization (signature mismatch), but forward-slash path injection is exploitable. This issue has been fixed in version 3.17.0.
Published: 2026-06-17
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

TypeBot’s generate-upload-url endpoint allows unauthenticated users to upload files whose names are directly used to form S3 object keys. Because the fileName is not sanitized and the presigned PUT URL does not restrict Content-Type, attackers can deposit maliciously crafted HTML, SVG, or JavaScript to arbitrary public paths. The uploaded content can then be served from the storage origin, making stored cross‑site scripting and hosting of arbitrary web resources possible on a published bot.

Affected Systems

All TypeBot installations using version 3.16.1 or earlier are vulnerable. This includes publicly deployed bots that expose the file‑input endpoint. Users of the 3.17.0 release and later are not affected.

Risk and Exploitability

The CVSS score of 9.3 signals a high‑severity flaw, but the EPSS score indicates that exploitation is currently unlikely (<1%). The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires only unauthenticated access to the exposed endpoint, so the attack vector is straightforward for any external user. Because the endpoint is public, the window for unauthorized content injection is wide and can affect other tenants via forward‑slash path injection, even though directory traversal is mitigated by the storage service’s canonicalization.

Generated by OpenCVE AI on June 18, 2026 at 19:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TypeBot to version 3.17.0 or later to remove the unauthenticated upload capability and sanitize file names.
  • If an upgrade is delayed, restrict access to the /api/blocks/file-input/v3/generate-upload-url endpoint using network controls or a reverse proxy that blocks unauthenticated requests.
  • Ensure that all uploaded files are served with strict Content-Type headers and consider deploying a content security policy to mitigate potential XSS from stored content.

Generated by OpenCVE AI on June 18, 2026 at 19:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Baptistearno
Baptistearno typebot.io
Vendors & Products Baptistearno
Baptistearno typebot.io
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description TypeBot is a chatbot builder tool. In versions 3.16.1 and earlier, POST /api/blocks/file-input/v3/generate-upload-url is unauthenticated and uses unsanitized fileName input to construct public/ S3 object keys, while issuing presigned PUT URLs that do not bind Content-Type. As a result, any anonymous visitor to a published bot with a file input can upload attacker-controlled HTML, SVG, or JS to attacker-chosen subpaths, including other tenants’ publicly served result paths, enabling arbitrary content hosting and potential stored XSS on the storage origin. ../ traversal is blocked by S3/MinIO canonicalization (signature mismatch), but forward-slash path injection is exploitable. This issue has been fixed in version 3.17.0.
Title TypeBot: Unauthenticated arbitrary s3 object write in generate-upload-url via unsanitized fileName
Weaknesses CWE-22
CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N'}

Subscriptions

Baptistearno Typebot.io
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T19:01:36.740Z

Reserved: 2026-05-22T19:39:05.356Z

Link: CVE-2026-48768

cve-icon Vulnrichment

Updated: 2026-06-18T19:00:55.241Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:15:02Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')