GHSA-4cm8-xpfv-jv6f: ZeptoClaw: Email Sender Spoofing to bypass Header-Only From Allowlist Validation

March 12, 2026

The email channel authorizes senders based on the parsed From header identity only. If upstream email authentication/enforcement is weak (for example, relaxed SPF/DKIM/DMARC handling), an attacker can spoof an allowlisted sender address and have the message treated as trusted input.

References

github.com/advisories/GHSA-4cm8-xpfv-jv6f
github.com/qhkm/zeptoclaw
github.com/qhkm/zeptoclaw/releases/tag/v0.7.6
github.com/qhkm/zeptoclaw/security/advisories/GHSA-4cm8-xpfv-jv6f

Code Behaviors & Features

Detect and mitigate GHSA-4cm8-xpfv-jv6f with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →