๐Ÿ” CVE Alert

CVE-2026-49213

HIGH 8.1

TypeBot: SSRF protection bypass via IPv6 unspecified address in Typebot HTTP request execution

CVSS Score
8.1
EPSS Score
0.3%
EPSS Percentile
24th

TypeBot is a chatbot builder tool. Prior to 3.17.2, Typebot's shared SSRF validator in packages/lib/src/ssrf/validateHttpReqUrl.ts can be bypassed with the IPv6 unspecified address :: because validateIPAddress blocks local, metadata, and private ranges but does not block :: or its expanded form. A workspace editor or creator can configure a server-side HTTP Request block or guarded script fetch to make the Typebot server connect to local HTTP services through safeKy, including flows triggered by POST /v1/typebots/{publicId}/startChat or POST /v1/sessions/{sessionId}/continueChat. This issue is fixed in version 3.17.2.

CWE CWE-918
Vendor baptistearno
Product typebot.io
Published Jul 10, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for baptistearno typebot.io

Be the first to know when new high vulnerabilities affecting baptistearno typebot.io are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Affected Versions

baptisteArno / typebot.io
< 3.17.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-qx46-p88f-xxm3 github.com: https://github.com/baptisteArno/typebot.io/pull/2511 github.com: https://github.com/baptisteArno/typebot.io/commit/f56c3c3f771df13a8c11e88f500dfdd78981bed1 github.com: https://github.com/baptisteArno/typebot.io/releases/tag/v3.17.2