← back
CVE-2026-27576

OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs

CVSS 4.8 MEDIUMEPSS 0.2%CWE-400
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.8EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
21 Feb 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the ACP bridge accepts very large prompt text blocks and can assemble oversized prompt payloads before forwarding them to chat.send. Because ACP runs over local stdio, this mainly affects local ACP clients (for example IDE integrations) that send unusually large inputs. This issue has been fixed in version 2026.2.19.
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected products
openclaw · openclaw

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/openclaw/openclaw/commit/63e39d7f57ac4ad4a5e38d17e7394ae7c4dd0b9chttps://github.com/openclaw/openclaw/commit/8ae2d5110f6ceadef73822aa3db194fb60d2ba68https://github.com/openclaw/openclaw/commit/ebcf19746f5c500a41817e03abecadea8655654ahttps://github.com/openclaw/openclaw/releases/tag/v2026.2.19https://github.com/openclaw/openclaw/security/advisories/GHSA-cxpw-2g23-2vgw