CVE-2026-39969 (GCVE-0-2026-39969)
Vulnerability from cvelistv5 – Published: 2026-05-22 18:43 – Updated: 2026-05-23 02:35
VLAI
Title
TypeBot: WhatsApp Webhook Endpoint Missing Signature Verification
Summary
TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint (POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook) does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both workspaceId and credentialsId as path parameters, which are logged in web server access logs, visible in Meta's webhook configuration dashboard, and potentially shared when configuring integrations. This allows any unauthenticated attacker to send spoofed webhook messages to trigger bot flows, consume API resources, and interact with external services using the workspace owner's credentials. The issue has been fixed in version 3.17.0.
Severity
6.5 (Medium)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/baptisteArno/typebot.io/securi… | x_refsource_CONFIRM |
| https://github.com/baptisteArno/typebot.io/releas… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| baptisteArno | typebot.io |
Affected:
< 3.17.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39969",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-23T02:34:58.003512Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T02:35:40.152Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8vqp-r5w7-v47f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "typebot.io",
"vendor": "baptisteArno",
"versions": [
{
"status": "affected",
"version": "\u003c 3.17.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint (POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook) does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both workspaceId and credentialsId as path parameters, which are logged in web server access logs, visible in Meta\u0027s webhook configuration dashboard, and potentially shared when configuring integrations. This allows any unauthenticated attacker to send spoofed webhook messages to trigger bot flows, consume API resources, and interact with external services using the workspace owner\u0027s credentials. The issue has been fixed in version 3.17.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T18:43:39.039Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8vqp-r5w7-v47f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8vqp-r5w7-v47f"
},
{
"name": "https://github.com/baptisteArno/typebot.io/releases/tag/v3.17.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/baptisteArno/typebot.io/releases/tag/v3.17.0"
}
],
"source": {
"advisory": "GHSA-8vqp-r5w7-v47f",
"discovery": "UNKNOWN"
},
"title": "TypeBot: WhatsApp Webhook Endpoint Missing Signature Verification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39969",
"datePublished": "2026-05-22T18:43:39.039Z",
"dateReserved": "2026-04-08T00:01:47.627Z",
"dateUpdated": "2026-05-23T02:35:40.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-39969",
"date": "2026-05-30",
"epss": "0.00031",
"percentile": "0.09637"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-39969\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-23T02:34:58.003512Z\"}}}], \"references\": [{\"url\": \"https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8vqp-r5w7-v47f\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-23T02:35:32.464Z\"}}], \"cna\": {\"title\": \"TypeBot: WhatsApp Webhook Endpoint Missing Signature Verification\", \"source\": {\"advisory\": \"GHSA-8vqp-r5w7-v47f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"baptisteArno\", \"product\": \"typebot.io\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.17.0\"}]}], \"references\": [{\"url\": \"https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8vqp-r5w7-v47f\", \"name\": \"https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8vqp-r5w7-v47f\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/baptisteArno/typebot.io/releases/tag/v3.17.0\", \"name\": \"https://github.com/baptisteArno/typebot.io/releases/tag/v3.17.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint (POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook) does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both workspaceId and credentialsId as path parameters, which are logged in web server access logs, visible in Meta\u0027s webhook configuration dashboard, and potentially shared when configuring integrations. This allows any unauthenticated attacker to send spoofed webhook messages to trigger bot flows, consume API resources, and interact with external services using the workspace owner\u0027s credentials. The issue has been fixed in version 3.17.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-345\", \"description\": \"CWE-345: Insufficient Verification of Data Authenticity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-22T18:43:39.039Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-39969\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-23T02:35:40.152Z\", \"dateReserved\": \"2026-04-08T00:01:47.627Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-22T18:43:39.039Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…