Vulnerability Details CVE-2026-32231
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields (sender, chat_id) from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled (auth_token: None), an attacker who can reach POST /webhook can spoof an allowlisted sender and choose arbitrary chat_id values, enabling high-risk message spoofing and potential IDOR-style session/chat routing abuse. This vulnerability is fixed in 0.7.6.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 19.4%
CVSS Severity
CVSS v3 Score 8.2
References
Products affected by CVE-2026-32231
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.0.1
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.2.0
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.4.0
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.5.0
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.5.1
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.5.2
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.5.3
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.5.4
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.5.5
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.5.7
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.5.8
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.5.9
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.6.0
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.6.1
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.6.2
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.7.0
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.7.1
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.7.2
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.7.3
-
cpe:2.3:a:zeptoclaw:zeptoclaw:0.7.4