CVE-2026-39968 describes an incomplete authorization fix in TypeBot, a chatbot builder tool. The vulnerability affects versions 3.15.2 and prior, where a patch for GHSA-4xc5-wfwc-jw47 failed to fully secure credential access controls. While the builder's getCredentials tRPC endpoint received workspace membership checks, the bot-engine runtime's preview chat endpoint remained vulnerable. The bot-engine's g [truncated]
TypeBot is an open-source chatbot builder platform. CVE-2026-39967 identifies an authorization flaw in the bot engine's `findResult` query where result data retrieval is not properly scoped to the requesting `typebotId`. An authenticated attacker with knowledge of a valid foreign `resultId` can supply this identifier to the `startChat` endpoint and retrieve prior session data—including user answers, varia [truncated]
