CVE-2026-32231

Name of the Vulnerable Software and Affected Versions ZeptoClaw versions prior to 0.7.6

Description ZeptoClaw is a personal AI assistant. The generic webhook channel trusts identity fields (sender, chat id) provided in the request body without proper validation, and applies authorization checks to these untrusted values. Because authentication is optional and defaults to disabled (auth token: None), an attacker who can reach the POST /webhook endpoint can spoof an allowlisted sender and choose arbitrary chat id values. This enables high-risk message spoofing and potential IDOR-style session/chat routing abuse. The vulnerability stems from the system treating user-provided JSON identity as authoritative identity, and the lack of verification of sender authenticity beyond the payload value. The chat id is also attacker-controlled, allowing manipulation of routing and session association.

Recommendations Versions prior to 0.7.6 should be updated to version 0.7.6 or later.