OpenClaw Version 2026.2.12 is a major security-focused update that fixes more than 40 vulnerabilities and strengthens protection across the AI agent platform. The update improves hooks, browser control, scheduling, messaging channels, and gateway security.
The main goal of this release is defense-in-depth. It follows serious concerns about exposed OpenClaw agents, token-stealing remote code execution (RCE) chains, and unsafe default deployments.
Gateway and OpenResponses now enforce a strict SSRF deny policy for URL-based input_file and input_image requests.
This includes hostname allowlists, per-request URL limits, and audit logging for blocked fetch attempts. These controls make it much harder for attackers to use agents to scan or probe internal networks.
Outputs from browser and web tools are now treated as untrusted data. They are wrapped in structured metadata and cleaned before reaching the model, reducing the risk of prompt-injection attacks.
Hooks and webhooks also receive major hardening. Secret comparisons now use constant-time checks, and per-client rate limiting (HTTP 429 with Retry-After) slows brute-force attempts.
By default, POST /hooks/agent blocks payload sessionKey overrides. Operators must configure safe prefixes or manually re-enable legacy behavior.
| Component | Category | Key Feature |
|---|---|---|
| Core Platform | Security | Fixes 40+ vulnerabilities |
| Gateway | SSRF Protection | Strict URL allowlists, request limits, audit logging |
| Model Pipeline | Prompt Injection Defense | Browser/tool outputs sanitized before model processing |
| Hooks/Webhooks | Hooks Security | Constant-time secret checks and rate limiting |
| Browser Control | Authentication | Mandatory auth required |
| Scheduler (Cron) | Scheduler Fixes | Prevents skipped or duplicate jobs |
| Gateway | Gateway Updates | Safe restart handling and larger WebSocket support |
| Messaging Channels | Channel Improvements | Safer Telegram, WhatsApp, Slack, Signal, Discord integrations |
| Release Packages | Release Integrity | Signed Mac packages with SHA-256 verification |
The update also fixes unauthenticated tampering with remote Nostr profile configuration, removes a risky hook, restricts mirrored skill sync to a sandboxed directory, and tightens transcript path validation to block unsafe file access.
Loopback browser control, previously linked to one-click RCE and token leaks, now requires mandatory authentication.
If no credentials are set, OpenClaw automatically generates a secure gateway token. New audit checks also flag unauthenticated browser control routes.
These changes directly address cases where exposed OpenClaw instances allowed full RCE and credential theft.
Reliability improvements are another key part of 2026.2.12. The cron scheduler is heavily patched to prevent skipped jobs, duplicate triggers, and restart-related issues.
Timers now re-arm correctly, and one failing job no longer blocks others. Heartbeat logic is improved to reduce noise and prevent false reminder triggers. Gateway updates ensure active sessions drain safely before restart, preventing message loss.
WebSocket limits now support images up to 5 MB. Installations auto-generate authentication tokens and reject missing or undefined tokens. Logging improvements also enhance macOS deployments.
The broader ecosystem also receives updates:
| Component | Update |
|---|---|
| Telegram | Safer message handling and improved formatting |
| Better Markdown support and improved media handling | |
| Slack | Improved reply handling and bot mention detection |
| Signal | Stronger validation and better mention rendering |
| Discord | Improved DM reactions and thread management |
| Mac Releases | Signed packages with SHA-256 checksum verification |
In today’s environment of exposed AI agents and RCE risks, OpenClaw 2026.2.12 provides an important security baseline that operators should deploy as soon as possible.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
