AI Threat Alert

CVE-2025-65098

HIGH
Published January 22, 2026
CISO Take

Typebot versions prior to 3.13.2 expose a critical credential theft vector: any user tricked into previewing a malicious chatbot will have their OpenAI API keys, OAuth tokens, and SMTP credentials silently exfiltrated via XSS. Patch to 3.13.2 immediately and rotate all API credentials stored in Typebot instances — assume keys are compromised if any user previewed an untrusted bot. Organizations relying on Typebot-integrated LLM pipelines face unauthorized API usage, billing fraud, and downstream data exposure across connected AI services.

Affected Systems

Package Ecosystem Vulnerable Range Patched
typebot No patch

Do you use typebot? You're affected.

Severity & Risk

CVSS 3.1
7.4 / 10
EPSS
N/A
KEV Status
Not in KEV
Sophistication
Trivial

Recommended Action

  1. 1) Upgrade Typebot to 3.13.2 immediately — patch is available, no workaround is viable. 2) Rotate ALL credentials stored in Typebot: OpenAI API keys, Google OAuth tokens, SMTP passwords — treat as compromised if any user previewed an untrusted bot. 3) Audit OpenAI API usage logs for anomalous calls in the past 30 days. 4) Check Google Workspace audit logs for unexpected Sheets access. 5) Add Content-Security-Policy headers blocking inline script execution as defense-in-depth. 6) Enforce credential ownership verification on all credential-returning API endpoints (BOLA fix). 7) Migrate to secrets managers (AWS Secrets Manager, HashiCorp Vault) instead of storing plaintext API keys in application databases. 8) Alert on mass credential read events from single sessions in API gateway logs.

Classification

Data Extraction Auth Bypass Data Leakage API Framework Agent AML.T0011 AML.T0012 AML.T0025 AML.T0034 AML.T0049 AML.T0055 AML.T0083 AML.T0091.000 AML.T0106

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.9.3 - Information security in AI system lifecycle A.9.4 - AI System Security
NIST AI RMF
GOVERN-1.7 - Processes for AI risk management MANAGE-2.2 - Mechanisms to sustain the value of AI systems MANAGE-2.4 - Risk Treatment and Residual Risk
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM05:2025 - Improper Output Handling

Technical Details

NVD Description

Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue.

Exploitation Scenario

Attacker creates a Typebot instance embedding malicious JavaScript in a custom HTML/code block. Attacker shares a preview link via Slack, email, or GitHub targeting Typebot administrators or developers. Victim clicks 'Run' to preview the bot — no account linkage or elevated permissions required. JavaScript executes in the victim's browser, calls `/api/trpc/credentials.getCredentials` which returns all stored credentials in plaintext without verifying ownership. OpenAI key, Google OAuth token, and SMTP password are immediately POSTed to an attacker-controlled webhook. Attacker begins using stolen OpenAI key within minutes — victim's quota drains, attacker gains access to LLM endpoints and any data flowing through the victim's AI automation pipelines.

Weaknesses (CWE)

CWE-522 Primary CWE-79 Primary CWE-200 CWE-284 CWE-311 CWE-522 CWE-639 CWE-79 CWE-862

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

References

Timeline

Published
January 22, 2026
Last Modified
January 30, 2026
First Seen
January 22, 2026
Back to Threat Feed