Signal
ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data
ZeptoClaw: Path boundary checks bypass via symlink, TOCTOU, and hardlink Severity: high Identifiers: [{"cve_id": "CVE-2026-32232"}, {"identifiers": [{"value": "GHSA-2m67-cxxq-c3h8", "type": "GHSA"}, {"value": "CVE-2026-32232", "type": "CVE"}]}].
github
openclaw
Evidence locked
Today's free sample is only available for the edition's flagship signal.
Evidence preview
- OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy modegithub_advisories
- ZeptoClaw: Path boundary checks bypass via symlink, TOCTOU, and hardlinkgithub_advisories
- ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted pay...github_advisories