HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-48768Published Modified CNA GitHub_M

CVE-2026-48768: TypeBot: Unauthenticated arbitrary s3 object write in generate-upload-url via unsanitized fileName

TypeBot is a chatbot builder tool. In versions 3.16.1 and earlier, POST /api/blocks/file-input/v3/generate-upload-url is unauthenticated and uses unsanitized fileName input to construct public/ S3 object keys, while issuing presigned PUT URLs that do not bind Content-Type. As a result, any anonymous visitor to a published bot with a file input can upload attacker-controlled HTML, SVG, or JS to attacker-chosen subpaths, including other tenants’ publicly served result paths, enabling arbitrary content hosting and potential stored XSS on the storage origin. ../ traversal is blocked by S3/MinIO canonicalization (signature mismatch), but forward-slash path injection is exploitable. This issue has been fixed in version 3.17.0.

Metrics

CVSS v3.1
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unauthenticated arbitrary file write vulnerability exists in TypeBot (versions 3.16.1 and earlier) via the unsanitized fileName parameter in the generate-upload-url API endpoint. The endpoint is reachable over the network with no authentication and accepts attacker-controlled input to construct S3 object keys, then issues presigned PUT URLs with no Content-Type binding. Successful exploitation allows an attacker to write arbitrary HTML, SVG, or JavaScript files to attacker-chosen S3 subpaths, enabling arbitrary content hosting and stored cross-site scripting (XSS) on the storage origin, including paths belonging to other tenants. No patched release has been published upstream; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as a fix version is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-48768 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle TypeBot or typebot.io components, regardless of registry or pipeline stage.

Available
Triage

Triage is available using the CVSS v3.1 score of 9.3 (CRITICAL), weighted against each customer organization's compliance policy to determine breach-of-threshold status and priority routing. Findings are surfaced to the appropriate team inbox within each customer environment based on configured ownership rules.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment version 3.17.0 or a later fix is confirmed upstream. In the interim, compensating-control suggestions are surfaced in the triage finding to help teams reduce exposure while the upstream patch is pending.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the TypeBot instance's public API surface.

  • AuthenticationNot required

    The generate-upload-url endpoint performs no authentication check, so any anonymous client can reach it without credentials.

  • Victim interactionNot required

    No victim action is needed; the attacker sends a crafted POST request directly to the API without requiring any user to click or open anything.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: the attacker supplies a forward-slash-injected fileName value and receives a valid presigned PUT URL in response, with no race condition or special environment state required.

Blast Radius

  • Attacker writes arbitrary HTML, SVG, or JavaScript files to attacker-chosen subpaths on the shared S3 or MinIO storage origin, enabling malicious content to be served from a trusted storage domain.
  • Attacker-placed scripts execute in the browser of any user whose browser loads a resource from the storage origin, enabling stored XSS that steals session tokens, cookies, or other in-browser credentials.
  • Because object key paths are not tenant-scoped before the write, an attacker can overwrite or inject content into publicly served result paths belonging to other tenants on the same instance, affecting data belonging to organizations other than the attacker's own.
  • Limited confidentiality exposure (CVSS C:L) means the presigned URL issuance flow may leak partial information about the storage key namespace and bucket structure to an unauthenticated caller.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-48768 as of the publication date, HarborGuard monitors the advisory on every ingest cycle and will automatically trigger a patched-image rebuild for affected environments the moment version 3.17.0 is confirmed upstream. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads without manual intervention. While the patch is pending, the triage finding surfaces compensating-control guidance: teams can apply network-policy isolation to restrict which sources may reach the generate-upload-url endpoint, use egress filtering on the storage bucket to limit write permissions at the bucket-policy level, and consider disabling file-input blocks in published bots until the upstream fix is available. For customers whose compliance policy flags CRITICAL findings as requiring immediate action, the finding is routed to the configured high-severity inbox and marked for expedited review.

See how HarborGuard automates this
Affected packages
  • baptisteArno / typebot.io
    < 3.17.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
References