What is the CVSS score of CVE-2026-32231?

CVE-2026-32231 has a CVSS 3.1 base score of 8.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Zeptoclaw are affected by CVE-2026-32231?

A high-severity vulnerability in ZeptoClaw's webhook functionality allows unauthenticated attackers to spoof authorized senders and inject messages into arbitrary chat channels.. A patch is available.

Is there a public PoC exploit available for CVE-2026-32231?

Yes, a public proof-of-concept exploit is available for CVE-2026-32231. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-32231?

Within 24 hours: Disable the ZeptoClaw webhook endpoint or require authentication via firewall/WAF rules. Within 7 days: Audit webhook logs for suspicious activity and identify if exploitation has occurred. Within 30 days: Either upgrade to a patched version when available or implement network-level access controls restricting webhook access to known, trusted IP ranges only.

Zeptoclaw CVE-2026-32231

HIGH

Missing Authentication for Critical Function (CWE-306)

2026-03-12 security-advisories@github.com

GHSA-46q5-g3j9-wx5c

Authentication Bypass Zeptoclaw

8.2

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.2 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

PoC Detected

Mar 20, 2026 - 16:03 vuln.today

Public exploit code

Analysis Generated

Mar 12, 2026 - 19:57 vuln.today

CVE Published

Mar 12, 2026 - 19:16 nvd

HIGH 8.2

DescriptionGitHub Advisory

ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields (sender, chat_id) from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled (auth_token: None), an attacker who can reach POST /webhook can spoof an allowlisted sender and choose arbitrary chat_id values, enabling high-risk message spoofing and potential IDOR-style session/chat routing abuse. This vulnerability is fixed in 0.7.6.

AnalysisAI

High severity vulnerability in ZeptoClaw. # The generic webhook channel trusts caller-supplied identity fields (sender, chat_id) from the request body and applies authorization checks to those untrusted values. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send POST request to /webhook endpoint

Delivery

Spoof allowlisted sender identity in request body

Exploit

Manipulate chat_id parameter

Execution

Route message to arbitrary session

Impact

Access unauthorized chat data

Access

Send POST request to /webhook endpoint

Delivery

Spoof allowlisted sender identity in request body

Exploit

Manipulate chat_id parameter

Execution

Route message to arbitrary session

Impact

Access unauthorized chat data

Vulnerability AssessmentAI

Exploitation	ZeptoClaw webhook authentication disabled (auth_token: None, the default configuration). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Severity: High (8.2/10.0) No EPSS data available yet HIGH RISK: Remotely exploitable without authentication — internet-facing instances are directly vulnerable Patch is available — prioritize updating to the fixed version Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	This vulnerability can be exploited remotely without authentication or user interaction, making it suitable for automated scanning and mass exploitation.
Remediation	Patches available: - https://github.com/qhkm/zeptoclaw/pull/324 - https://github.com/qhkm/zeptoclaw/commit/bf004a20d3687a0c1a9e052ec79536e30d6de134 Security advisories: - https://github.com/qhkm/zeptoclaw/security/advisories/GHSA-46q5-g3j9-wx5c Update to the latest patched version as soon as possible. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable the ZeptoClaw webhook endpoint or require authentication via firewall/WAF rules. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-32231 vulnerability details – vuln.today

Back

Zeptoclaw CVE-2026-32231

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code