CVE Catalog

CVE-2026-34207

High
Published: Translated: NVD NIST

Summary

TypeBot is a chatbot builder tool that, in versions prior to 3.16.0, has a vulnerability in SSRF protection. The SSRF protection for Webhook / HTTP Request blocks only validates the URL string, allowing the use of local IP addresses and hostnames that can lead to unauthorized access to internal resources.

Risk Assessment

Organizations may be exposed to server-side request forgery attacks, which could lead to data leakage from private networks or access to sensitive information in the cloud.

Recommendation

It is recommended to update TypeBot to version 3.16.0 or later to mitigate this vulnerability.

Original NVD description (English source)

TypeBot is a chatbot builder tool. In versions prior to 3.16.0, SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostname literals, and literal IP formats. It does not resolve DNS before allowing the request. As a result, a hostname such as ssrf-repro.example that resolves to 127.0.0.1, 169.254.169.254, or RFC1918/private space passes validation and is later fetched by the backend HTTP client. This enables server-side request forgery to loopback, cloud metadata, and private network targets. This issue has been resolved in version 3.16.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS