Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-yy7a-7jat-27hx
Vulnerability ID VCID-yy7a-7jat-27hx
Aliases CVE-2026-27576
GHSA-cxpw-2g23-2vgw
Summary OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs - Local ACP sessions may become less responsive when very large prompts are submitted - Larger-than-expected model usage/cost when oversized text is forwarded - No privilege escalation and no direct remote attack path in the default ACP model
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-400 Uncontrolled Resource Consumption
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 7e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-27576
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-cxpw-2g23-2vgw
cvssv4 4.8 https://github.com/openclaw/openclaw
generic_textual MODERATE https://github.com/openclaw/openclaw
cvssv4 4.8 https://github.com/openclaw/openclaw/commit/63e39d7f57ac4ad4a5e38d17e7394ae7c4dd0b9c
generic_textual MODERATE https://github.com/openclaw/openclaw/commit/63e39d7f57ac4ad4a5e38d17e7394ae7c4dd0b9c
ssvc Track https://github.com/openclaw/openclaw/commit/63e39d7f57ac4ad4a5e38d17e7394ae7c4dd0b9c
cvssv4 4.8 https://github.com/openclaw/openclaw/commit/8ae2d5110f6ceadef73822aa3db194fb60d2ba68
generic_textual MODERATE https://github.com/openclaw/openclaw/commit/8ae2d5110f6ceadef73822aa3db194fb60d2ba68
ssvc Track https://github.com/openclaw/openclaw/commit/8ae2d5110f6ceadef73822aa3db194fb60d2ba68
cvssv4 4.8 https://github.com/openclaw/openclaw/commit/ebcf19746f5c500a41817e03abecadea8655654a
generic_textual MODERATE https://github.com/openclaw/openclaw/commit/ebcf19746f5c500a41817e03abecadea8655654a
ssvc Track https://github.com/openclaw/openclaw/commit/ebcf19746f5c500a41817e03abecadea8655654a
cvssv4 4.8 https://github.com/openclaw/openclaw/releases/tag/v2026.2.19
generic_textual MODERATE https://github.com/openclaw/openclaw/releases/tag/v2026.2.19
ssvc Track https://github.com/openclaw/openclaw/releases/tag/v2026.2.19
cvssv3.1_qr MODERATE https://github.com/openclaw/openclaw/security/advisories/GHSA-cxpw-2g23-2vgw
cvssv4 4.8 https://github.com/openclaw/openclaw/security/advisories/GHSA-cxpw-2g23-2vgw
generic_textual MODERATE https://github.com/openclaw/openclaw/security/advisories/GHSA-cxpw-2g23-2vgw
ssvc Track https://github.com/openclaw/openclaw/security/advisories/GHSA-cxpw-2g23-2vgw
cvssv4 4.8 https://nvd.nist.gov/vuln/detail/CVE-2026-27576
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-27576
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-27576
https://github.com/openclaw/openclaw
https://github.com/openclaw/openclaw/commit/63e39d7f57ac4ad4a5e38d17e7394ae7c4dd0b9c
https://github.com/openclaw/openclaw/commit/8ae2d5110f6ceadef73822aa3db194fb60d2ba68
https://github.com/openclaw/openclaw/commit/ebcf19746f5c500a41817e03abecadea8655654a
https://github.com/openclaw/openclaw/releases/tag/v2026.2.19
CVE-2026-27576 https://nvd.nist.gov/vuln/detail/CVE-2026-27576
GHSA-cxpw-2g23-2vgw https://github.com/advisories/GHSA-cxpw-2g23-2vgw
GHSA-cxpw-2g23-2vgw https://github.com/openclaw/openclaw/security/advisories/GHSA-cxpw-2g23-2vgw
No exploits are available.
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N Found at https://github.com/openclaw/openclaw
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N Found at https://github.com/openclaw/openclaw/commit/63e39d7f57ac4ad4a5e38d17e7394ae7c4dd0b9c
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:11:17Z/ Found at https://github.com/openclaw/openclaw/commit/63e39d7f57ac4ad4a5e38d17e7394ae7c4dd0b9c
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N Found at https://github.com/openclaw/openclaw/commit/8ae2d5110f6ceadef73822aa3db194fb60d2ba68
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:11:17Z/ Found at https://github.com/openclaw/openclaw/commit/8ae2d5110f6ceadef73822aa3db194fb60d2ba68
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N Found at https://github.com/openclaw/openclaw/commit/ebcf19746f5c500a41817e03abecadea8655654a
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:11:17Z/ Found at https://github.com/openclaw/openclaw/commit/ebcf19746f5c500a41817e03abecadea8655654a
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N Found at https://github.com/openclaw/openclaw/releases/tag/v2026.2.19
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:11:17Z/ Found at https://github.com/openclaw/openclaw/releases/tag/v2026.2.19
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N Found at https://github.com/openclaw/openclaw/security/advisories/GHSA-cxpw-2g23-2vgw
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T18:11:17Z/ Found at https://github.com/openclaw/openclaw/security/advisories/GHSA-cxpw-2g23-2vgw
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-27576
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.00503
EPSS Score 7e-05
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T21:06:45.256510+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/openclaw/CVE-2026-27576.yml 38.6.0