17 matches found
CVE-2026-32231
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields sender, chatid from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled authtoken: None, an...
CVE-2026-32232
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, there is a Dangling Symlink Component Bypass, TOCTOU Between Validation and Use, and Hardlink Alias Bypass. This vulnerability is fixed in 0.7.6...
CVE-2026-32232
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, there is a Dangling Symlink Component Bypass, TOCTOU Between Validation and Use, and Hardlink Alias Bypass. This vulnerability is fixed in 0.7.6...
CVE-2026-32231
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields sender, chatid from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled authtoken: None, an...
CVE-2026-32232 ZeptoClaw: Path boundary checks bypass via symlink, TOCTOU, and hardlink
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, there is a Dangling Symlink Component Bypass, TOCTOU Between Validation and Use, and Hardlink Alias Bypass. This vulnerability is fixed in 0.7.6...
CVE-2026-32232
CVE-2026-32232 affects ZeptoClaw (pre-0.7.6). The vulnerability combines Dangling Symlink Component Bypass, TOCTOU Between Validation and Use, and Hardlink Alias Bypass, allowing workspace boundary bypass during path validation and subsequent I/O. The issue is fixed in 0.7.6. Affected behavior in...
CVE-2026-32231 ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields sender, chatid from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled authtoken: None, an...
CVE-2026-32231
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields sender, chatid from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled authtoken: None, an...
CVE-2026-32231
ZeptoClaw (personal AI assistant) contains a vulnerability in the webhook channel prior to version 0.7.6 where identity fields sent in the request body (sender, chat_id) are used as the authoritative identity and are not strongly bound to an authenticated source. With auth_token set to None (auth...
CVE-2026-32231 ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields sender, chatid from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled authtoken: None, an...
CVE-2026-32231 ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields sender, chatid from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled authtoken: None, an...
EUVD-2026-11669
ZeptoClaw: Path boundary checks bypass via symlink, TOCTOU, and hardlink...
EUVD-2026-11667
ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data...
ZeptoClaw 安全漏洞
ZeptoClaw is a lightweight personal AI assistant developed by qhkm’s individual developer. Versions of ZeptoClaw prior to 0.7.6 contained security vulnerabilities. These vulnerabilities were due to issues with bypassing suspended symbolic link components, as well as problems related to TOCTOU rac...
ZeptoClaw 数据伪造问题漏洞
ZeptoClaw is a lightweight personal AI assistant developed by qhkm’s individual developer. Versions of ZeptoClaw prior to 0.7.6 had a data manipulation vulnerability. This vulnerability stems from the use of identity fields provided by trusted callers, with authentication being disabled by defaul...
PT-2026-25042
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields sender, chat id from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled auth token: None, ...
zeptoclaw has Shell allowlist-blocklist bypass via command/argument injection and file name wildcards
Summary zeptoclaw implements a allowlist combined with a blocklist to prevent malicious shell commands in src/security/shell.rs. However, even in the Strict mode, attackers can completely bypass all the guards from allowlist and blocklist: - to bypass the allowlist, command injection is enough,...