Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data
Vulnerability Description
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields (sender, chat_id) from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled (auth_token: None), an attacker who can reach POST /webhook can spoof an allowlisted sender and choose arbitrary chat_id values, enabling high-risk message spoofing and potential IDOR-style session/chat routing abuse. This vulnerability is fixed in 0.7.6.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Vulnerability Type
关键功能的认证机制缺失
Vulnerability Title
ZeptoClaw 数据伪造问题漏洞
Vulnerability Description
ZeptoClaw是qhkm个人开发者的一个轻量级个人AI助手。 ZeptoClaw 0.7.6之前版本存在数据伪造问题漏洞,该漏洞源于信任调用者提供的身份字段且身份验证默认禁用,可能导致高风险消息欺骗和潜在的IDOR式会话或聊天路由滥用。
CVSS Information
N/A
Vulnerability Type
N/A