The OpenClaw team has officially released version 2026.2.12, a comprehensive update focused heavily on security hardening and architectural stability.
This release addresses over 40 security vulnerabilities and stability issues, marking a significant milestone for the AI agent framework.
The update arrives just five hours after the initial code merge, underscoring the urgency of these patches.
Critical improvements span across the gateway, sandbox isolation, and multiple integration providers including WhatsApp, Discord, and Slack.
Critical Security Hardening and SSRF Protections
One of the most severe issues addressed in this release involves Server-Side Request Forgery (SSRF) risks within the gateway’s URL handling.
The development team has hardened the input_file and input_image parameters by implementing an explicit deny policy and hostname allowlists.
| Component | Vulnerability Type | Description | Attribution |
|---|---|---|---|
| Gateway | SSRF | Hardened URL handling with explicit deny policy and hostname allowlists. | Internal |
| Hooks | Malicious Code | Removal of the bundled soul-evil hook component. | @Imccccc |
| API | Auth Bypass | Fix for unauthenticated Nostr profile API remote config tampering. | @coygeek |
| Sandbox | Path Traversal | Confined skill sync destinations to prevent filesystem escapes. | @1seal |
| Web Tools | Prompt Injection | Stripped toolResult.details to reduce replay attack surface. | Internal |
| BlueBubbles | Auth Bypass | Fixed webhook authentication bypass via loopback proxy trust. | @coygeek |
This change prevents attackers from manipulating the agent to access internal network resources.
Additionally, the update introduces a strict per-request URL input cap to mitigate potential denial-of-service vectors.
The engineering team also removed a bundled hook identified as soul-evil (PR #14757), eliminating a potential backdoor or malicious component that had inadvertently remained in the codebase.
Another significant patch targets an unauthenticated remote configuration tampering vulnerability in the Nostr profile API (PR #13719), which could have allowed unauthorized actors to modify agent settings remotely.
To further secure the agent’s runtime environment, OpenClaw 2026.2.12 refines how skills are synchronized and executed.
| Integration | Key Update | Security/Stability Impact |
|---|---|---|
| MIME Type Defaults | Ensures voice messages are handled correctly when types are omitted. | |
| Slack | Command Detection | Detects control commands even when prefixed with bot mentions. |
| Signal | Input Validation | Enforces E.164 validation to catch mistyped numbers early. |
The system now strictly limits mirrored skill destinations to the skills/ root directory, preventing directory traversal attacks that previously attempted to use frontmatter-controlled names to escape the sandbox.
Browser and web content handling has also been shifted to an “untrusted by default” model. The system now strips detailed tool results from the inputs sent back to the language model during transcript compaction.
This reduces the risk of prompt injection replay attacks, where malicious web content could manipulate the agent’s future behavior by injecting hidden instructions into the context window.
This release introduces a necessary breaking change to the POST /hooks/agent endpoint. By default, the system now rejects payload sessionKey overrides to prevent session hijacking.
Administrators who require the legacy behavior must now explicitly configure hooks.allowRequestSessionKey: true, though the team recommends using fixed hook contexts instead.
Authentication for browser control has also been strengthened. The system now requires authentication for loopback browser control routes and will auto-generate an auth token if one is missing during startup.
This prevents local attackers from hijacking the browser control interface without credentials.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
