CVE-2026-32231 ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data

ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields sender, chatid from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled authtoken: None, an...

CVE-2026-32231

ZeptoClaw (personal AI assistant) contains a vulnerability in the webhook channel prior to version 0.7.6 where identity fields sent in the request body (sender, chat_id) are used as the authoritative identity and are not strongly bound to an authenticated source. With auth_token set to None (auth...

ZeptoClaw 数据伪造问题漏洞

ZeptoClaw is a lightweight personal AI assistant developed by qhkm’s individual developer. Versions of ZeptoClaw prior to 0.7.6 had a data manipulation vulnerability. This vulnerability stems from the use of identity fields provided by trusted callers, with authentication being disabled by defaul...

GHSA-HV93-R4J3-Q65F OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing

Summary The issue is not deterministic session keys by itself. The exploitable path was accepting externally supplied sessionKey values on authenticated hook ingress, allowing a hook token holder to route messages into chosen sessions. Affected Behavior - POST /hooks/agent accepted payload...