CVE-2026-34207
published 2026-05-22CVE-2026-34207: TypeBot is a chatbot builder tool. In versions prior to 3.16.0, SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked…
PriorityP349high7.6CVSS 3.1
AVNACLPRLUINSUCHILAL
EPSS
0.24%
14.8th percentile
TypeBot is a chatbot builder tool. In versions prior to 3.16.0, SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostname literals, and literal IP formats. It does not resolve DNS before allowing the request. As a result, a hostname such as ssrf-repro.example that resolves to 127.0.0.1, 169.254.169.254, or RFC1918/private space passes validation and is later fetched by the backend HTTP client. This enables server-side request forgery to loopback, cloud metadata, and private network targets. This issue has been resolved in version 3.16.0.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| baptistearno | typebot.io | < 3.16.0 | 3.16.0 |
CVSS provenance
nvdv3.17.6HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
cvelistv5v3.17.6HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CVEList
TypeBot: SSRF Protection Bypass via DNS-Resolved Hostnames in Webhook / HTTP Request Validation
cvelistv5·2026-05-22·CVSS 7.6
CVE-2026-34207 [HIGH] CWE-20 TypeBot: SSRF Protection Bypass via DNS-Resolved Hostnames in Webhook / HTTP Request Validation
TypeBot: SSRF Protection Bypass via DNS-Resolved Hostnames in Webhook / HTTP Request Validation
TypeBot is a chatbot builder tool. In versions prior to 3.16.0, SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostname literals, and literal IP formats. It does not resolve DNS before allowing the request. As a result, a hostname such as ssrf-repro.example that resolves to 127.0.0.1, 169.254.169.254, or RFC1918/private space passes validation and is later fetched by the backend HTTP client. This enables server-side request forgery to loopback, cloud metadata, and private network targets. This issue has been resolved in version 3.16.0.
VulDB
baptisteArno typebot.io up to 3.15.x HTTP Request input validation (GHSA-grcc-6x37-wwgp)
vuldb·2026-05-22
CVE-2026-34207 [CRITICAL] baptisteArno typebot.io up to 3.15.x HTTP Request input validation (GHSA-grcc-6x37-wwgp)
A vulnerability was found in baptisteArno typebot.io up to 3.15.x. It has been classified as critical. This issue affects some unknown processing of the component HTTP Request Handler. The manipulation leads to improper input validation.
This vulnerability is uniquely identified as CVE-2026-34207. The attack is possible to be carried out remotely. No exploit exists.
Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/baptisteArno/typebot.io/commit/23818bb0e54db23c456ee3fa6b12d82b2af848b8https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-grcc-6x37-wwgphttps://github.com/baptisteArno/typebot.io/security/advisories/GHSA-grcc-6x37-wwgp
2026-05-22
Published