CVE-2026-32231HIGH 8.2EPSS p8.1%

CVE-2026-32231CVE-2026-32231

Description

ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields (sender, chat_id) from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled (auth_token: None), an attacker who can reach POST /webhook can spoof an allowlisted sender and choose arbitrary chat_id values, enabling high-risk message spoofing and potential IDOR-style session/chat routing abuse. This vulnerability is fixed in 0.7.6.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS0.18% probability of exploitation · percentile 8.1% · 2026-06-18T12:00:27Z
Published2026-03-12
Last modified2026-03-20

Underlying weaknesses· 2

CWE-306CWE-345

References

  1. https://github.com/qhkm/zeptoclaw/commit/bf004a20d3687a0c1a9e052ec79536e30d6de134
  2. https://github.com/qhkm/zeptoclaw/pull/324
  3. https://github.com/qhkm/zeptoclaw/releases/tag/v0.7.6
  4. https://github.com/qhkm/zeptoclaw/security/advisories/GHSA-46q5-g3j9-wx5c

2

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live
WeaknessInsufficient Verification of Data Authenticitycwe-3450%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-35670
CVE
CVE-2026-28454
CVE
CVE-2026-32232
CVE
CVE-2026-41371
CVE
CVE-2026-32302
CVE
CVE-2026-35652
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.