CVE-2026-34207

Published: May 22, 2026Modified: May 22, 2026Deferred

7.6

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Exploitability: 2.8 / Impact: 4.7

Source: security-advisories@github.com (Secondary)

Description

TypeBot is a chatbot builder tool. In versions prior to 3.16.0, SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostname literals, and literal IP formats. It does not resolve DNS before allowing the request. As a result, a hostname such as ssrf-repro.example that resolves to 127.0.0.1, 169.254.169.254, or RFC1918/private space passes validation and is later fetched by the backend HTTP client. This enables server-side request forgery to loopback, cloud metadata, and private network targets. This issue has been resolved in version 3.16.0.

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

https://github.com/baptisteArno/typebot.io/commit/23818bb0e54db23c456ee3fa6b12d82b2af848b8

Source: security-advisories@github.com

https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0

Source: security-advisories@github.com

https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-grcc-6x37-wwgp

Source: security-advisories@github.com

https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-grcc-6x37-wwgp

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.