A project has rolled out version 2026.2.12, patching over 40 vulnerabilities and hardening critical components.
Released four days ago by lead contributor Steipete, this update targets exploits in gateways, hooks, browser controls, and sandboxing areas that are ripe for abuse in multi-tenant AI deployments.
With 1,950 commits to main since launch, the platform has undergone rapid iteration amid growing threats to AI infrastructure.
A long-flagged OpenClaw’s exposure to server-side request forgery (SSRF), remote config tampering, and prompt injection via untrusted inputs. This release delivers layered defenses, starting with gateway enhancements for input_file and input_image handling.
Security Update Addresses 40+ Flaws.
Developers now get explicit SSRF deny policies, hostname allowlists (via files.urlAllowlist and images.urlAllowlist), per-request URL input caps (maxUrlParts), and blocked fetch audit logging.
These changes prevent attackers from chaining malicious URLs to exfiltrate data or pivot to internal services, a common vector in AI gateways processing user uploads.
Hook endpoints see major overhaul,s too. The POST /hooks/agent endpoint now rejects payload sessionKey overrides by default, forcing admins to opt in via hooks.defaultSessionKey (paired with hooks.allowedSessionKeyPrefixes like “hook:”).
Legacy behavior requires explicit hooks.allowRequestSessionKey: true. New session routing checks, audit, and configuration warnings about risky HTTP API exposures.
Webhook and device token verification adds constant-time secret comparisons and per-client 429 throttling with Retry-After headers, curbing brute-force attacks.
Sandbox and web tools automatically wrap untrusted content, mirrored skill syncs confine destinations to skills/roots, ditching frontmatter-controlled paths that could enable directory traversal.
Browser/web outputs wrap snapshots, tabs, and console data, while stripping toolResult.details from model transcripts to prevent prompt-injection replays.
| Category | Fix Description | Impact Mitigated |
|---|---|---|
| Gateway/OpenResponses | SSRF deny policy, URL allowlists, input caps, audit logging | Remote resource abuse, data exfil |
| Nostr Profile API | Block unauthenticated remote config tampering (#13719) | Unauthorized config changes |
| Hooks | Remove bundled soul-evil hook (#14757) | Malicious hook execution |
| Hooks/Audit | Session-routing hardening checks and warnings | Session hijacking via keys |
| Sandbox | Confine skill syncs to skills/ root, drop frontmatter paths | Directory traversal |
| Web Tools | Untrusted wrappers, strip toolResult.details from transcripts | Prompt injection replay |
| Hooks | Constant-time secrets, per-client throttling | Brute-force auth bypass |
| Browser | Auth on loopback routes, auto-token gen, audit checks | Unauthorized browser control |
| Sessions/Gateway | Harden transcript paths, reject unsafe IDs | Path traversal in sessions |
| BlueBubbles | Fix webhook auth bypass via proxy (#13787) | Unauthorized access |
Loopback browser routes now require auth, with an auto-generated gateway.auth.token on startup and audit checks for unauthenticated controls.
Other fixes plug niche but severe gaps: unauthenticated Nostr profile API tampering, the bundled soul-evil hook removal, transcript path resolution hardening (rejecting unsafe session IDs), and BlueBubbles webhook auth bypasses via loopback proxies.
Transcript operations stay siloed within agent directories, thwarting path traversal. While not all changes are pure security, CLI logs now support local time stamps, WS buffers handle 5MB images, and cron isolates scheduler errors. The breadth of updates reflects OpenClaw’s role in agentic AI stacks.
Breaking changes like sessionKey restrictions require config reviews, but they help prevent session hijacking.
Admins should prioritize deployment, especially if exposing hooks or browsers. The GitHub release v2026.2.12 includes the full changelogs.
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
.webp "Cal.com’s Access Control Mess: How It Let Attackers Hijack Accounts and Dump Millions of Bookings")
