{"data":{"id":"a5ed223b-c5b5-4837-bf2d-59100c27237f","title":"GHSA-cxpw-2g23-2vgw: OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs","summary":"OpenClaw's ACP bridge (a local communication protocol for IDE integrations) didn't check prompt size limits before processing, causing the system to accept and forward extremely large text blocks that could slow down local sessions and increase API costs. The vulnerability only affects local clients sending unusually large inputs, with no remote attack risk.","solution":"The patched version 2026.2.18 enforces a 2 MiB (2 megabyte) prompt-text limit before combining text blocks, counts newline separator bytes during size checks, maintains final message-size validation before sending to the chat service, prevents stale session state when oversized prompts are rejected, and adds regression tests for oversize rejection and cleanup.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-cxpw-2g23-2vgw","publishedAt":"2026-02-20T21:52:44.000Z","cveId":"CVE-2026-27576","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["openclaw@<= 2026.2.17 (fixed: 2026.2.19)"],"affectedVendors":[],"affectedVendorsRaw":["OpenClaw"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00005,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}