CVE-2026-27576 Overview
CVE-2026-27576 is a resource exhaustion vulnerability (CWE-400) affecting OpenClaw, a personal AI assistant application built on Node.js. In versions 2026.2.17 and below, the ACP (Agent Communication Protocol) bridge component accepts very large prompt text blocks and can assemble oversized prompt payloads before forwarding them to the chat.send function. This vulnerability allows local attackers to cause a denial of service condition by exhausting system memory through maliciously crafted oversized prompts.
Because the ACP component runs over local stdio, this vulnerability primarily affects local ACP clients such as IDE integrations that send unusually large inputs. A malicious actor with local access or a compromised IDE plugin could exploit this flaw to crash the OpenClaw service or degrade system performance.
Critical Impact
Local attackers can cause denial of service through memory exhaustion by sending oversized prompt payloads via the ACP bridge, affecting system availability.
Affected Products
- OpenClaw versions 2026.2.17 and below (Node.js package)
- OpenClaw ACP bridge component
- IDE integrations utilizing OpenClaw ACP stdio interface
Discovery Timeline
- 2026-02-21 - CVE-2026-27576 published to NVD
- 2026-02-23 - Last updated in NVD database
Technical Details for CVE-2026-27576
Vulnerability Analysis
The vulnerability exists in the extractTextFromPrompt function within the ACP event mapper component (src/acp/event-mapper.ts). The function processes arrays of content blocks to extract text for prompt assembly but originally lacked proper size validation. This allowed arbitrarily large prompt payloads to be concatenated and held in memory before being forwarded to the chat processing function.
The root issue is that the original implementation would allocate and concatenate the full prompt string without checking the accumulated byte count during the assembly process. This creates a classic memory exhaustion attack vector where an attacker can submit multiple large content blocks that individually appear benign but result in excessive memory allocation when combined.
Root Cause
The vulnerability stems from improper input validation in the prompt processing pipeline. The extractTextFromPrompt function did not enforce byte-level size limits during the iterative concatenation of content blocks. The function processed text blocks, resource blocks, and resource link blocks without tracking cumulative size, allowing memory to be allocated for the full concatenated string before any size validation occurred.
Additionally, the byte counting logic in earlier versions failed to account for separator bytes (newline characters) added by the join() operation between blocks, creating an off-by-n error in size calculations that could allow payloads slightly exceeding intended limits.
Attack Vector
The attack requires local access to the system running OpenClaw, specifically through the ACP stdio interface. An attacker would need to:
- Gain access to a local ACP client (such as a compromised IDE integration)
- Craft prompt requests containing multiple large content blocks
- Submit these requests through the ACP bridge to trigger memory allocation
- Repeat to exhaust available system memory
The following patch demonstrates the fix that validates prompt size block-by-block before full string concatenation:
content: string;
};
-export function extractTextFromPrompt(prompt: ContentBlock[]): string {
+export function extractTextFromPrompt(prompt: ContentBlock[], maxBytes?: number): string {
const parts: string[] = [];
+ // Track accumulated byte count per block to catch oversized prompts before full concatenation
+ let totalBytes = 0;
for (const block of prompt) {
+ let blockText: string | undefined;
if (block.type === "text") {
- parts.push(block.text);
- continue;
- }
- if (block.type === "resource") {
+ blockText = block.text;
+ } else if (block.type === "resource") {
const resource = block.resource as { text?: string } | undefined;
if (resource?.text) {
- parts.push(resource.text);
+ blockText = resource.text;
}
- continue;
- }
- if (block.type === "resource_link") {
+ } else if (block.type === "resource_link") {
const title = block.title ? ` (${block.title})` : "";
const uri = block.uri ?? "";
- const line = uri ? `[Resource link${title}] ${uri}` : `[Resource link${title}]`;
- parts.push(line);
Source: GitHub Commit ebcf197
The fix also properly accounts for separator bytes in the size calculation:
if (blockText !== undefined) {
// Guard: reject before allocating the full concatenated string
if (maxBytes !== undefined) {
- totalBytes += Buffer.byteLength(blockText, "utf-8");
+ const separatorBytes = parts.length > 0 ? 1 : 0; // "\n" added by join() between blocks
+ totalBytes += separatorBytes + Buffer.byteLength(blockText, "utf-8");
if (totalBytes > maxBytes) {
throw new Error(`Prompt exceeds maximum allowed size of ${maxBytes} bytes`);
}
Source: GitHub Commit 63e39d7
Detection Methods for CVE-2026-27576
Indicators of Compromise
- Unusual memory consumption spikes in OpenClaw or Node.js processes
- Repeated large payload submissions through ACP stdio interface
- OpenClaw service crashes or restarts due to out-of-memory conditions
- Error logs showing prompt size validation failures (post-patch indicator of attempted exploitation)
Detection Strategies
- Monitor Node.js process memory usage for abnormal growth patterns
- Implement logging for ACP bridge input sizes to detect anomalously large requests
- Set up resource limits (memory cgroups) for OpenClaw processes to prevent system-wide impact
- Review IDE plugin logs for unusual prompt submission patterns
Monitoring Recommendations
- Configure alerting for OpenClaw process memory exceeding defined thresholds
- Enable verbose logging for ACP bridge communications during security assessment periods
- Monitor system resource utilization metrics for hosts running OpenClaw
- Implement process supervision to automatically restart crashed OpenClaw instances with rate limiting
How to Mitigate CVE-2026-27576
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.19 or later immediately
- Review and restrict local access to systems running OpenClaw ACP interfaces
- Implement memory limits for OpenClaw processes using OS-level controls
- Audit IDE integrations and plugins that interact with OpenClaw for potential compromise
Patch Information
The vulnerability has been fixed in OpenClaw version 2026.2.19. The fix implements block-by-block byte counting with proper separator accounting to reject oversized prompts before memory allocation occurs. Multiple commits address this issue:
- Security fix for ACP prompt size guardrails
- Initial prompt size validation implementation
- Docker image hardening with SHA256 pinning
For complete details, refer to the GitHub Security Advisory GHSA-cxpw-2g23-2vgw.
Workarounds
- Implement OS-level memory limits for OpenClaw processes using cgroups or ulimit
- Restrict network/local access to the ACP stdio interface to trusted clients only
- Deploy application-level rate limiting for prompt submissions if upgrading is not immediately possible
- Consider running OpenClaw in a containerized environment with strict resource constraints
# Configuration example - Set memory limits for OpenClaw process
# Using systemd service override
mkdir -p /etc/systemd/system/openclaw.service.d
cat << EOF > /etc/systemd/system/openclaw.service.d/memory-limit.conf
[Service]
MemoryMax=2G
MemoryHigh=1.5G
EOF
systemctl daemon-reload
systemctl restart openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
