What is CVE-2026-39967?

CVE-2026-39967 is a low-severity vulnerability in Baptistearno Typebot.io, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 3.1/10. Published 2026-05-22.

How severe is CVE-2026-39967?

Low severity. CVSS v3 base score is 3.1 out of 10.

Auth bypass in Baptistearno Typebot.io

CVE-2026-39967

TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the bot engine's the findResult query does not filter results by typebotId, allowing an authenticated user to load result data (user answers, variable values) from a differen…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (8.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.1 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N.

Affected products

Baptistearno Typebot.io — versions < 3.16.0

Weakness classification (CWE)

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-39967?: CVE-2026-39967 is a low-severity vulnerability in Baptistearno Typebot.io, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 3.1/10. Published 2026-05-22.
How severe is CVE-2026-39967?: Low severity. CVSS v3 base score is 3.1 out of 10.