Description

ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields (sender, chat_id) from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled (auth_token: None), an attacker who can reach POST /webhook can spoof an allowlisted sender and choose arbitrary chat_id values, enabling high-risk message spoofing and potential IDOR-style session/chat routing abuse. This vulnerability is fixed in 0.7.6.

INFO

Published Date :

2026-03-12T18:22:48.872Z

Last Modified :

2026-03-12T20:47:02.636Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32231 vulnerability.

Vendors Products
Qhkm
  • Zeptoclaw
Zeptoclaw
  • Zeptoclaw
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32231.

URL Resource
https://github.com/qhkm/zeptoclaw/commit/bf004a20d3687a0c1a9e052ec79536e30d6de134 cve-icon cve-icon
https://github.com/qhkm/zeptoclaw/pull/324 cve-icon cve-icon
https://github.com/qhkm/zeptoclaw/releases/tag/v0.7.6 cve-icon cve-icon
https://github.com/qhkm/zeptoclaw/security/advisories/GHSA-46q5-g3j9-wx5c cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact