{"id":"CVE-2026-32232","summary":"ZeptoClaw: Path boundary checks bypass via symlink, TOCTOU, and hardlink","details":"ZeptoClaw is a personal AI assistant. Prior to 0.7.6, there is a Dangling Symlink Component Bypass, TOCTOU Between Validation and Use, and Hardlink Alias Bypass. This vulnerability is fixed in 0.7.6.","aliases":["GHSA-2m67-cxxq-c3h8"],"modified":"2026-04-10T05:42:55.877102Z","published":"2026-03-12T18:24:35.225Z","database_specific":{"cwe_ids":["CWE-22","CWE-62"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32232.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32232.json"},{"type":"ADVISORY","url":"https://github.com/qhkm/zeptoclaw/security/advisories/GHSA-2m67-cxxq-c3h8"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32232"},{"type":"FIX","url":"https://github.com/qhkm/zeptoclaw/commit/f50c17e11ae3e2d40c96730abac41974ef2ee2a8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/qhkm/zeptoclaw","events":[{"introduced":"0"},{"fixed":"b64cb54d013af1bb2a3be5a3b629e86f7bf25079"}]}],"versions":["v0.4.0","v0.5.0","v0.5.1","v0.5.2","v0.5.3","v0.5.7","v0.5.8","v0.5.9","v0.6.0","v0.6.1","v0.6.2","v0.7.0","v0.7.1","v0.7.2","v0.7.3","v0.7.4","v0.7.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32232.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"}]}