Typebot IDOR Vulnerability in getResultLogs API Endpoint Allows Cross-Workspace Data Disclosure

An authorization issue has been identified in Typebot versions through 3.15.2, specifically within the getResultLogs API endpoint. The vulnerability arises from the endpoint's failure to properly validate the ownership of result IDs in relation to the authorized Typebot IDs. This oversight allows authenticated attackers to access execution logs from other workspaces by supplying their own Typebot ID along with a victim's result ID. The exposed logs can contain sensitive information such as HTTP response bodies, AI model outputs, and webhook payloads. Notably, this vulnerability exists despite other result-scoped endpoints in the same router implementing proper validation, indicating that the issue is an unintentional oversight.

Impact

Exploitation of this vulnerability leads to unauthorized access to execution logs from other workspaces, bypassing tenant isolation and causing cross-workspace data disclosure. The leaked logs can include full HTTP response bodies from external API integrations, AI model outputs, webhook payloads, and detailed error information that may contain personal or business-sensitive data.

Reproduction

To reproduce this vulnerability, an authenticated user must send a request to the getResultLogs API endpoint using their own Typebot ID and a victim's result ID. The server will validate the Typebot ID authorization but will not check if the result ID belongs to the same Typebot, allowing access to the victim's execution logs.

Remediation

Users can update to Typebot version 3.16.0, where this vulnerability has been fixed.