OpenClaw v2026.2.13 is our most security-focused release to date. With over 20 security-specific commits from contributors across the community, this version addresses everything from SSRF vulnerabilities to credential exposure. Here's what changed and why it matters.
High-Risk Tool Blocking
By default, dangerous tools like sessions_spawn, sessions_send, gateway, and whatsapp_login are now blocked from the HTTP /tools/invoke endpoint. Operators can override this with gateway.tools.{allow,deny}, but the safe default means a compromised integration can no longer trigger sensitive operations without explicit opt-in. Thanks @aether-ai-agent.
IP Authentication Hardening
This is a breaking change. Canvas IP-based auth fallback now only accepts machine-scoped addresses (RFC1918, link-local, ULA IPv6, CGNAT). Public-source IP matches require bearer token auth. If you relied on public IP fallback, you'll need to switch to token-based auth. Thanks @sumleo.
SSRF Protection
Loopback, internal host patterns, and private/mapped IPv6 addresses are now blocked in URL handling for link CLI flows. This closes a class of SSRF bypasses that could have allowed internal network scanning. Thanks @AI-Reviewer-QS.
Path Traversal Fixes
- •
/trace/stop,/wait/download, and/downloadoutput paths are now constrained to OpenClaw temp roots, rejecting traversal and escape paths. - •Canvas A2UI assets are served via
openFileWithinRoot, closing traversal and TOCTOU gaps. Thanks @abdelsfane.
Credential Protection
WhatsApp creds.json and creds.json.bak now enforce 0o600 permissions on save, backup, and restore. Config writes preserve ${VAR} env references so openclaw config set no longer accidentally persists secrets to disk. Thanks @abdelsfane, @thewilloftheshadow.
ACP & Permission Hardening
ACP permission selection now fails closed when tool identity or options are ambiguous, supporting allow_always/reject_always. Node exec approval handling also fails closed on unexpected decisions. Thanks @aether-ai-agent, @rmorse.
Sandbox Improvements
Configured sandbox.docker.env variables are now properly passed to sandbox containers at docker create time. The security audit also distinguishes external webhooks from internal hooks to avoid false exposure signals. Thanks @stevebot-alive, @mcaxtr.
Log & Audit Hardening
- •Untrusted WebSocket header values are sanitized and truncated in pre-handshake close logs to reduce log-poisoning risk.
- •Config overwrites now log audit entries (path, backup target, hash transition) for traceability.
- •Security audit adds misconfiguration checks for sandbox Docker config, ineffective deny rules, and permissive extension-plugin tool reachability.
Android Security
App updates now require HTTPS and gateway-host URL matching plus SHA-256 verification. Camera downloads stream to disk with size guards. Release builds no longer use debug signing keys. Thanks @smartprogrammer93.
Other Notable Security Fixes
- •Strict binding-scope matching across peer/guild/team/roles prevents cross-context routing leaks. Thanks @lailoo.
- •Heredoc bodies are allowed in exec while general newline command chaining stays blocked. Thanks @mcaxtr.
- •Gateway hook responses preserve 408 for timeouts with bounded auth-failure cache eviction. Thanks @AI-Reviewer-QS.
- •Multi-user DM isolation guidance is clarified in security audit and onboarding. Thanks @VintLin.
Beyond Security
This release also ships Discord voice messages with waveform previews, configurable presence status, Hugging Face Inference provider support, OpenAI Codex/Spark integration, a write-ahead delivery queue for crash recovery, and dozens of platform-specific fixes across WhatsApp, Telegram, Slack, MS Teams, and Matrix.
Over 50 contributors made this release possible. Full changelog is on GitHub.
