CVE-2026-32231 is a vulnerability categorized under CWE-306 (Missing Authentication for Critical Function) and CWE-345 (Insufficient Verification of Data Authenticity) affecting the ZeptoClaw personal AI assistant software by qhkm. Prior to version 0.7.6, the generic webhook channel in ZeptoClaw trusts identity fields such as 'sender' and 'chat_id' provided in the request body without enforcing authentication, as the authentication mechanism is optional and defaults to disabled (auth_token: None). This design flaw allows an attacker who can send HTTP POST requests to the /webhook endpoint to spoof allowlisted sender identities and arbitrarily select chat_id values. Consequently, the attacker can perform high-risk message spoofing, impersonating trusted users or systems, and potentially abuse session or chat routing via IDOR-style attacks, redirecting or intercepting messages intended for other users. The vulnerability has a CVSS v3.1 base score of 8.2, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and a significant impact on integrity with limited confidentiality impact and no availability impact. Although no exploits have been observed in the wild, the flaw poses a serious risk to the integrity of communications and user sessions within ZeptoClaw deployments. The issue was addressed and fixed in version 0.7.6 by enforcing proper authentication and validation of webhook requests. The vulnerability was publicly disclosed on March 12, 2026.

The vulnerability allows unauthenticated attackers to spoof identities and manipulate chat sessions within ZeptoClaw, potentially leading to unauthorized message injection, impersonation of trusted users, and session hijacking. This compromises the integrity of communications, undermines user trust, and could facilitate further attacks such as social engineering or data leakage through misrouted messages. Organizations relying on ZeptoClaw for AI assistant functionalities may experience operational disruptions or reputational damage if attackers exploit this flaw. Although availability is not impacted, the integrity breach can have cascading effects on decision-making processes and automated workflows dependent on ZeptoClaw. The lack of authentication also increases the attack surface, enabling remote exploitation without credentials or user interaction, thus raising the risk profile significantly.

1. Upgrade all ZeptoClaw deployments to version 0.7.6 or later immediately to apply the official fix that enforces authentication on webhook requests. 2. If upgrading is not immediately possible, implement network-level controls such as IP whitelisting or firewall rules to restrict access to the /webhook endpoint only to trusted sources. 3. Introduce additional validation layers on incoming webhook requests to verify the authenticity and integrity of identity fields beyond relying solely on the application’s default mechanisms. 4. Monitor webhook traffic for anomalous patterns, such as unexpected sender or chat_id values, to detect potential exploitation attempts. 5. Employ logging and alerting on webhook endpoint access to facilitate rapid incident response. 6. Review and harden any downstream systems or integrations that consume ZeptoClaw webhook data to ensure they do not blindly trust incoming messages. 7. Educate development and security teams about the risks of missing authentication on critical functions and enforce secure coding practices for webhook implementations.