A newly disclosed critical vulnerability, tracked officially as CVE-2026-33712 and identified in the GitHub Advisory Database as GHSA-vc2q-r6rq-ggj9, has exposed self-hosted and cloud-hosted Typebot deployments to catastrophic unauthenticated Server-Side Request Forgery (SSRF) attacks.
Typebot, an increasingly popular open-source conversational AI and chatbot builder, recently released version 3.16.0 to urgently patch the flaw, which previously affected all versions up to 3.15.2.
Boasting a maximum Common Vulnerability Scoring System (CVSS) score of 10.0, this severe vulnerability allows external, unauthenticated threat actors to easily penetrate internal networks, scrape cloud metadata endpoints, and exfiltrate highly sensitive infrastructure credentials.
The core of the issue lies in a dangerous intersection of two distinct architectural flaws within the application codebase. First, an authentication bypass exists within the chat preview API endpoint, allowing anyone to submit arbitrary chatbot configurations.
Second, there is a glaring absence of critical security validation layers for the native fetch API exposed inside the isolated-vm execution sandbox. Together, these oversights render previous SSRF mitigations entirely useless.
CVE-2026-33712: Typebot SSRF Vulnerability
To fully understand why CVE-2026-33712 is so catastrophic, it is essential to examine how Typebot manages the execution of dynamic backend logic. The platform utilizes an isolated-vm sandbox to execute custom server-side JavaScript code blocks securely.
This design paradigm is primarily intended to prevent end-users and bot creators from escaping the Node.js context to execute arbitrary shell commands on the host operating system.
Furthermore, Typebot incorporates a dedicated SSRF mitigation mechanism specifically a function named validateHttpReqUrl which forcefully prevents standard HTTP request blocks from querying restricted internal IP ranges, such as local loopback addresses (127.0.0.1) or the highly sensitive AWS Instance Metadata Service (IMDS) at 169.254.169.254.
However, diligent security researchers discovered a devastating loophole. While standard visual HTTP request blocks correctly implemented this security validation following a previous major security patch (tracked as GHSA-8gq9-rw7v-3jpr), the JavaScript fetch function exposed inside the isolated-vm context did not.
The developers inadvertently passed the Node.js native fetch API directly into the sandbox closure without wrapping it in the necessary internal URL validation functions.
Consequently, any code running inside the sandbox could make unrestricted HTTP requests to any destination, completely ignoring the application’s established security boundaries.
Compounding the sandbox validation flaw is a critical oversight in the application’s API routing layer. The specific endpoint responsible for previewing chats (POST /api/v1/typebots/{typebotId}/preview/startChat) was originally designed to allow bot creators to quickly test their conversational flows before publishing them to live audiences.
Under normal, secure circumstances, starting a customized chat session requires either an actively published bot ID or valid authentication tokens verifying the user’s identity.
Unfortunately, the getTypebot function, located deep within packages/bot-engine/src/startSession.ts, contains a fatal logical flaw:
If a malicious HTTP request explicitly defines the session type as “preview” and supplies a custom typebot JSON object, the backend system instantly accepts and processes the payload without asking any questions.
Because the associated router procedure (startChatPreviewProcedure) uses procedureWithOptionalUser rather than enforcing strict session validation via a protected procedure, any unauthenticated visitor over the public internet can send a fully weaponized chatbot definition directly to the server. The backend engine then blindly parses and executes this definition as if it were a trusted asset.
By intelligently chaining the authentication bypass with the unrestricted fetch capability hidden inside the isolated virtual machine sandbox, an attacker can construct a lethal JSON payload that silently extracts internal secrets.
The exploitation process involves crafting a custom typebot definition containing a specific “Set Variable” block configured to execute custom JavaScript.
Within the expressionToEvaluate parameter of this maliciously crafted block, the attacker simply inputs a standard asynchronous network request:
When the Typebot API receives this POST request, the engine eagerly initializes the sandbox environment, executes the embedded JavaScript, and issues a native Node.js HTTP request directly to the AWS metadata endpoint.
Since the validateHttpReqUrl function is completely bypassed in this specific code path, the underlying network routing easily permits the request.
To effortlessly exfiltrate the stolen internal data, the attacker merely maps the returned HTTP response to a visible chatbot variable. As the preview session successfully initiates, the backend responds to the API call with the opening conversational messages, which now prominently feature the exfiltrated cloud metadata.
This creates a seamless, synchronous data exfiltration pipeline that requires absolutely zero out-of-band network configurations or external attacker-controlled infrastructure.
Mitigation
The long-term implications of CVE-2026-33712 are exceptionally severe for enterprise environments. By exploiting unrestricted access to cloud metadata endpoints, threat actors can effortlessly retrieve temporary IAM role credentials.
This ultimately leads to total cloud infrastructure compromise, unauthorized database access, silent container manipulation, and massive corporate data breaches.
Furthermore, attackers can leverage this unauthenticated SSRF vector to actively map internal corporate networks, interface with highly privileged internal microservices, and exploit secondary vulnerabilities operating safely behind the corporate firewall.
To permanently mitigate this critical threat, development teams and system administrators must immediately upgrade their Typebot instances to version 3.16.0 or newer.
The official patch completely resolves both root causes by enforcing the validateHttpReqUrl() function on the fetch callback within packages/variables/src/executeFunction.ts, ensuring that all sandbox-initiated network traffic is strictly subjected to the same rigorous denylist as standard visual HTTP blocks.
Additionally, the patch modernizes the routing layer to mandate strict cryptographic authentication protocols whenever a custom typebot object is actively submitted to the preview endpoint.
For organizations running self-hosted deployments that absolutely cannot apply the patch immediately, security teams should urgently deploy a temporary Web Application Firewall (WAF) rule.
This rule should explicitly drop all inbound public requests targeting the /v1/typebots/*/preview/startChat URI that attempt to pass inline JSON typebot configurations, thereby neutralizing the unauthenticated vector until a maintenance window allows for a full version upgrade.
FAQ
Q1: What is CVE-2026-33712?
It is a critical CVSS 10.0 unauthenticated Server-Side Request Forgery (SSRF) flaw found in Typebot’s chat preview API endpoint.
Q2: How does the exploit work?
An attacker sends a crafted JSON payload with malicious JavaScript directly to the preview endpoint, bypassing both authentication and internal URL validation filters.
Q3: Which versions are affected?
The vulnerability impacts all self-hosted and cloud-hosted deployments of Typebot running versions up to and including 3.15.2.
Q4: How can I fix this issue?
You must immediately upgrade your Typebot environment to version 3.16.0 or temporarily deploy WAF rules to block unauthenticated preview chat requests.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
