CVE-2026-27646: OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions
(updated )
Sandboxed requester sessions could reach host-side ACP session initialization through /acp spawn.
OpenClaw already blocked sessions_spawn({ runtime: "acp" }) from sandboxed sessions, but the slash-command path initialized ACP directly without applying the same host-runtime guard first.
References
- github.com/advisories/GHSA-9q36-67vc-rrwg
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/61000b8e4ded919ca1a825d4700db4cb3fdc56e3
- github.com/openclaw/openclaw/releases/tag/v2026.3.7
- github.com/openclaw/openclaw/security/advisories/GHSA-9q36-67vc-rrwg
- nvd.nist.gov/vuln/detail/CVE-2026-27646
Code Behaviors & Features
Detect and mitigate CVE-2026-27646 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →