CVE-2026-32231
HIGHZeptoClaw < 0.7.6 - Unauthenticated Message Spoofing and Session Routing Abuse via Webhook Identity Fields
Title source: llmDescription
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields (sender, chat_id) from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled (auth_token: None), an attacker who can reach POST /webhook can spoof an allowlisted sender and choose arbitrary chat_id values, enabling high-risk message spoofing and potential IDOR-style session/chat routing abuse. This vulnerability is fixed in 0.7.6.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/qhkm/zeptoclaw/security/advisories/GHSA-46q5-g3j9-wx5c
Issue Tracking x_refsource_misc
https://github.com/qhkm/zeptoclaw/pull/324
Patch x_refsource_misc
https://github.com/qhkm/zeptoclaw/commit/bf004a20d3687a0c1a9e052ec79536e30d6de134
Release Notes x_refsource_misc
https://github.com/qhkm/zeptoclaw/releases/tag/v0.7.6
Scores
CVSS v3
8.2
EPSS
0.0018
EPSS Percentile
8.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-306
CWE-345
Status
published
Products (2)
crates.io/zeptoclaw
0 - 0.7.6crates.io
zeptoclaw/zeptoclaw
< 0.7.5
Published
Mar 12, 2026
Tracked Since
Mar 13, 2026