关键漏洞信息 CVE ID: CVE-2026-27576 Severity: Low Vulnerability Summary: The ACP bridge accepted very large prompt text blocks and could assemble oversized prompt payloads before forwarding them to chat.send. This mainly affects local ACP clients (e.g., IDE integrations) that send unusually large inputs. Affected Packages/Versions: Package: openclaw (npm) Affected versions: = 2026.2.18 Impact: Local ACP sessions may become less responsive when very large prompts are submitted. Larger-than-expected model usage/cost from oversized text. No privilege escalation or direct remote attack path in the default ACP model. Affected Components: src/acp/event-mapper.ts src/acp/translator.ts Remediation: Enforce a 2 MiB prompt-text limit before concatenation. Count inter-block newline separator bytes during pre-concatenation size checks. Keep final outbound message-size validation before chat.send. Avoid stale active-run session state when oversized prompts are rejected. Add regression tests for oversize rejection and active-run cleanup. Fix Commit(s): 732e53151e8fbdfc6501182ddb0e990878bdc1e3 ebcf19746f5c500a41817e03abecadea8655654a 63e39d7f57ac4ad4a5e38d17e7394ae7c4dd0b9c Reported by: @aether-ai-agent