Track unresolved non-blocking issues required for transparent go/no-go decisions.
This document records Major and Minor findings that do not block presentation but must be tracked for transparency and follow-up. Blocker findings do not belong here; Blockers must be fixed before presentation.
For CVEs, this file is the human-readable register. The canonical machine-readable exception inventory lives in demo/config/supply_chain_vulnerability_policy.json, and the governing process lives in security/CVE_REMEDIATION_AND_RISK_ACCEPTANCE_POLICY.md.
Each open Major/Minor finding must include:
- Owner (accountable for resolution)
- Mitigation (current workaround or risk reduction)
- Due Date (target for resolution or exception expiry)
- Status (Open/In Progress/Closed)
- Evidence Links (logs, tickets, docs)
For CVEs, the evidence set must also point to the machine-readable allowlist record and the dated review log when an accepted-risk exception is active.
| Severity | Finding | Impact | Mitigation | Owner | Due Date | Status | Evidence Links |
|---|---|---|---|---|---|---|---|
| Major | CVE-2026-0861 Supply-Chain Risk | Presidio images contain an unpatched glibc vulnerability. Exploitation requires a local attacker plus an application bug chain. | Containers are internal-only and hardened with no-new-privileges and dropped capabilities. Official Microsoft Presidio 2.2.362/latest images still report this CVE and add higher-severity findings, so ACP remains pinned to the reviewed 2.2.361 digests until a cleaner patched image is available. |
platform-security | 2026-06-19 | Open | supply_chain_vulnerability_policy.json, security/CVE_REVIEW_LOG.md |
| Major | No Automatic Failover / Customer-Owned HA Operations | ACP now validates a customer-operated two-host active-passive failover drill evidence workflow, but service continuity across host or database failure still depends on customer-operated PostgreSQL replication, fencing, promotion discipline, and DNS/load-balancer/VIP cutover. ACP does not provide automatic failover orchestration or split-brain prevention automation. | Use the validated manual drill regularly, keep off-host backups, maintain customer-owned fencing and traffic-cutover runbooks, and scope availability claims to the supported manual evidence surface described in deployment/HA_FAILOVER_TOPOLOGY.md and deployment/HA_FAILOVER_RUNBOOK.md. | platform | 2026-06-30 | Open | deployment/HA_FAILOVER_TOPOLOGY.md, deployment/HA_FAILOVER_RUNBOOK.md, reference/support-matrix.md |
| Major | Multi-Tenant Runtime Design-Only | The repository now includes a tracked design package for organization/workspace isolation and provider billing boundaries, but it does not yet implement shared-runtime tenant enforcement. Any managed-service tenant claim would overstate the current product surface. | Use one ACP deployment per customer boundary until runtime tenant enforcement, tenant-safe reporting, and managed-service operating evidence are validated. | platform | 2026-09-30 | Open | policy/MULTI_TENANT_ISOLATION_AND_BILLING.md, adr/0002-multi-tenant-isolation-design.md |
| Major | AWS Cloud Validation Boundary | The AWS cloud path is now validated only through explicit Terraform formatting/validation workflows, a validation-only dry-run AWS plan path, hardening guidance, and a basic cost-estimation model. ACP does not yet provide automated cloud apply CI, cloud runtime smoke tests in a named AWS account, or validated Azure/GCP cloud paths. Any broader cloud-support claim would overstate the current surface. | Keep Terraform and Helm under deploy/incubating/, require explicit internal make tf-* invocation, and require named-account validation before external production commitments. |
platform | 2026-09-30 | Open | deployment/TERRAFORM.md, security/AWS_CLOUD_HARDENING.md, deployment/AWS_COST_ESTIMATION.md, reference/support-matrix.md |
| Minor | Port 4000 Conflict | Gateway fail to start if port 4000 is occupied by other slots/services. | Stop conflicting services or use LITELLM_HOST_PORT override. |
SRE | 2026-06-01 | Open | README.md |
| Minor | Offline Token Estimation | Token counts in offline mode are estimated, not precise. | Use real providers for precise token usage validation. | Dev | 2026-03-15 | Open | README.md |
| Minor | Presidio Service Footprint | Deterministic DLP relies on two additional services (Presidio analyzer/anonymizer), which increases runtime surface area compared to native LiteLLM-only guardrails. | Keep Presidio scoped to deterministic/custom-entity requirements; use native LiteLLM guardrails for lightweight coverage where appropriate. | Security | 2026-04-01 | Open | DEPLOYMENT.md |
| Minor | DLP Offline Mode | Inline guardrail attachment requires LiteLLM guardrail support in the running tier. In offline/lab modes without required feature support, guardrail config exists but live blocking cannot be fully validated. | Treat offline as configuration/evidence rehearsal and validate live blocking in production-capable environments. | Dev | 2026-06-01 | Open | demo/logs/evidence/19_dress_rehearsal.log (generated locally; see ARTIFACTS.md) |
| Severity | Finding | Resolution | Closed Date | Evidence Links |
|---|---|---|---|---|
| Major | CVE-2026-26278 Supply-Chain Risk | Hardened LibreChat refresh moved to ghcr.io/fitchmultz/acp/librechat-hardened:20260426 with patched fast-xml-parser; Trivy hardened-image gate no longer reports this CVE and the allowlist exception was removed. |
2026-04-26 | make hardened-images-scan, supply_chain_vulnerability_policy.json, security/CVE_REVIEW_LOG.md |
| Major | CVE-2026-26960 Supply-Chain Risk | Hardened LiteLLM refresh moved to ghcr.io/fitchmultz/acp/litellm-hardened:20260426 with patched dependency set; Trivy hardened-image gate no longer reports this CVE and the allowlist exception was removed. |
2026-04-26 | make hardened-images-scan, supply_chain_vulnerability_policy.json, security/CVE_REVIEW_LOG.md |
| Major | CVE-2026-26996 Supply-Chain Risk (Temporary Allowlist) | Hardened LiteLLM/LibreChat refresh landed patched minimatch; Trivy hardened-image gate no longer reports this CVE and both temporary allowlist entries were removed. |
2026-04-26 | make hardened-images-scan, supply_chain_vulnerability_policy.json, security/CVE_REVIEW_LOG.md |
| Minor | Key Generation Model Mismatch | make key-gen and demo scenarios now auto-detect offline mode via ACP_OFFLINE_MODE=1, resolving models from demo/config/litellm-offline.yaml (mock-gpt, mock-claude) in offline runs. Set ACP_OFFLINE_MODE=1 before key generation in offline demos. |
2026-02-18 | make key-gen, make demo-scenario SCENARIO=8, APPROVED_MODELS.md |
- Blocker findings do not belong here — Blockers must be fixed before presentation notification.
- Major/Minor entries must be updated whenever status changes.
- Presentation readiness review must reference this file directly.
- Closed findings move to the Closed Findings section with resolution summary.
- CVE exceptions must stay time-bounded and align to the live machine-readable policy plus the dated review log.