Public February 2026
Typebot Result Log Authorization Check Broke at the Wrong Boundary
BugBunny.ai found that Typebot checked whether a user could access a given typebot but then fetched result logs only by resultId. That mismatch let an authenticated attacker read logs from another workspace whenever they could obtain a valid result identifier.
TL;DR
Authenticated users can access another workspace’s result logs and the data they contain.
Cross-workspace resultId values supplied to the getResultLogs endpoint.
Typebot v3.15.2 during coordinated disclosure.
CVE assigned; vendor patch still pending at the time of this snapshot.
Root Cause
The endpoint performed an authorization check against the supplied typebotId, but the subsequent database lookup pivoted to resultId without confirming that the referenced result actually belonged to that authorized typebot.
This kind of mismatch is a classic IDOR pattern: authorization is checked on one object while sensitive data is retrieved through another. Once an attacker learns or guesses a valid result ID, the endpoint trusts the wrong relationship and leaks cross-workspace data.
Product
Typebot
Affected
v3.15.2
Patched
Vendor patch pending
Weaknesses
CWE-639: Authorization Bypass Through User-Controlled Key (IDOR)
Mitigation
- Wait for the vendor patch before exposing the affected endpoint to untrusted multi-tenant users.
- Enforce ownership or relationship validation on resultId lookups directly, not just on the parent typebot reference.
- Audit similar endpoints that authorize one identifier but fetch data through another.
Credits & Disclosure
CVE-2026-28444 was assigned during coordinated disclosure based on GitHub Security Advisory GHSA-c63p-mqx5-75r7.