DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-4CM8-XPFV-JV6F: GHSA-4CM8-XPFV-JV6F: Email Sender Spoofing and Authentication Bypass in ZeptoClaw

#security #cve #cybersecurity #ghsa

GHSA-4CM8-XPFV-JV6F: Email Sender Spoofing and Authentication Bypass in ZeptoClaw

Vulnerability ID: GHSA-4CM8-XPFV-JV6F
CVSS Score: 8.2
Published: 2026-03-12

GHSA-4CM8-XPFV-JV6F describes an authentication bypass vulnerability in the ZeptoClaw AI assistant. By spoofing the MIME 'From' header, unauthenticated attackers can bypass allowlist restrictions and execute arbitrary instructions through the platform's email processing channel. The vulnerability arises from a failure to validate SMTP envelope sender consistency and a lack of required cryptographic checks.

TL;DR

ZeptoClaw versions prior to 0.7.6 are vulnerable to an authentication bypass via email sender spoofing. The application improperly trusted the MIME 'From' header without cryptographic verification, allowing unauthorized execution of AI agent commands.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-345
  • Attack Vector: Network
  • CVSS Score: 8.2
  • Impact: High Integrity / Low Confidentiality
  • Exploit Status: Unauthenticated Remote Execution via Email
  • Component: Inbound Email Processor

Affected Systems

  • ZeptoClaw versions < 0.7.6
  • ZeptoClaw: < 0.7.6 (Fixed in: 0.7.6)

Code Analysis

Commit: bf004a2

Fix identity binding, enforce SPF/DKIM validation, and sanitize attachment filenames

Mitigation Strategies

  • Upgrade ZeptoClaw to version 0.7.6 to apply the application-layer patch.
  • Enforce strict SPF, DKIM, and DMARC validation on all upstream Mail Transfer Agents.
  • Implement network isolation for ZeptoClaw's inbound email and webhook interfaces.
  • Audit and restrict the internal allowlist to essential users only.

Remediation Steps:

  1. Verify the current running version of ZeptoClaw.
  2. Download and install ZeptoClaw release v0.7.6 from the official GitHub repository or crates.io.
  3. Configure the upstream MTA to append standard Authentication-Results headers to all inbound emails.
  4. Validate that DMARC rejection policies are actively enforced on the network edge.
  5. Restart the ZeptoClaw service and monitor application logs for rejected authentication attempts.

References

Read the full report for GHSA-4CM8-XPFV-JV6F on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)