CVE-2025-64706

Published: Nov 13, 2025Modified: Jan 30, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 5.9

Source: NVD

Description

Typebot is an open-source chatbot builder. In version 3.9.0 up to but excluding version 3.13.0, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API token management endpoint. An authenticated attacker can delete any user's API token and retrieve its value by simply knowing the target user's ID and token ID, without requiring authorization checks. Version 3.13.0 fixes the issue.

Affected (1)

Products: Typebot: Typebot

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Typebot Typebot	From 3.9.0 to 3.13.0

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (1)

https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-grx8-g27p-8hpp

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.