OpenClaw Security in 2026: What the Latest Patches Mean for Self-Hosters

The Largest Security Update in OpenClaw's Recent History

Between v2026.2.17 and v2026.2.19, the OpenClaw project shipped over 25 security fixes — covering everything from exec command injection to WebSocket authentication, plugin sandboxing, Discord privilege escalation, and SSRF bypass via IPv6 transition addresses. Several of these were reported by external security researchers.

This is not unusual for a maturing open-source project. But for self-hosters, it raises an important question: are you running a configuration that was already hardened against these issues?

The Fixes That Matter Most

1. SSRF Protection — IPv6 Transition Addresses

SSRF (Server-Side Request Forgery) allows an attacker to trick your server into making requests to internal services. OpenClaw uses a SSRF guard (fetchWithSsrFGuard) to block this — but the guard had gaps.

The v2026.2.19 patch now blocks SSRF bypass via:

• NAT64 addresses (64:ff9b::/96, 64:ff9b:1::/48)
• 6to4 addresses (2002::/16)
• Teredo addresses (2001:0000::/32)
• ISATAP embedded IPv4 transition addresses
• Legacy IPv4 forms (octal, hex, short, packed — e.g., 0177.0.0.1, 127.1, 2130706433)

If your OpenClaw instance has browser automation or webhook tools enabled, these SSRF vectors were real attack surfaces on older versions. Anyone who could influence what URLs your agent fetched could potentially reach your internal network.

2. Exec Tool Hardening

OpenClaw's exec tool (which lets your agent run shell commands) received several hardening patches:

• OC-09 credential theft via environment variable injection — Fixed. Untrusted input could previously be used to read environment variables containing API keys or credentials.
• Safe-bin bypass via file-existence oracle — Fixed. The safe-bins allowlist was leaking information about whether files exist on the host, even when execution was blocked.
• PATH hijacking — Fixed. Allowlisted binaries must now resolve from trusted directories, preventing PATH-hijacked trojan binaries from bypassing the allowlist.
• Shell metacharacter injection — Fixed for Windows. Scheduled task generation now quotes metacharacter arguments and rejects CR/LF to prevent command injection in daemon startup scripts.

3. Plugin and Hook Sandboxing

Plugins and hooks (shell scripts or npm packages that run in response to agent events) now enforce runtime path containment:

• Plugin and hook paths are validated with realpath checks so they can't escape their trusted roots via directory traversal or symlinks
• Plugin discovery now blocks unsafe candidates — root escapes, world-writable paths, suspicious ownership
• Symlinks are rejected during skill packaging to prevent external file inclusion in distributed .skill archives

4. Discord Privilege Escalation

Two Discord security issues were fixed in v2026.2.19:

• Moderation privilege escalation — Untrusted senderUserId params could previously be used to trigger moderation actions (timeout, kick, ban) without proper guild permission checks
• Markdown injection — Backticks in exec-approval embed content were not escaped, allowing crafted command text to inject markdown formatting

If you have Discord connected to an OpenClaw instance with exec tools enabled, the first of these was a meaningful privilege escalation path.

5. ACP (Agentic Control Protocol) Hardening

The ACP bridge — which connects OpenClaw to IDE integrations — received several fixes:

• Prompt payload size is now bounded to 2 MiB before gateway forwarding, preventing oversized prompt attacks
• Duplicate session refresh, idle-session reaping, and burst rate limiting on session creation reduce local DoS risk
• The --token-file/--password-file flags allow secrets to be passed via file rather than inline

6. Webhook Security

Feishu and Zalo webhook ingress were hardened with:

• Webhook-mode token preconditions
• JSON content-type enforcement
• Per-path rate limiting
• Replay deduplication for Zalo events
• Constant-time secret comparison
• Regex metacharacter escaping in Feishu mention parsing (ReDoS prevention)

7. Media Handling

• TTS temp files now use crypto.randomBytes() for filename generation and owner-only permissions
• Feishu inbound media temp files now use UUID-based names (not external message IDs, which are attacker-controlled)
• Local media ingestion is hardened against TOCTOU/symlink swap attacks

What This Means If You're Self-Hosting

Here's the uncomfortable truth: most self-hosters running OpenClaw on older versions are almost certainly running at least some of these vulnerable configurations. Not because they're careless — but because:

1. The default config is optimized for getting started quickly, not for production hardening
2. Security patches require understanding what changed and verifying your config reflects the fix
3. Many of these fixes required changes to gateway config validation — if your config doesn't match the new schema, the fix may not apply

The Recommended Response

If you're self-hosting OpenClaw, here's what you should do after reading this:

1. Update to v2026.2.20 or later immediately — Most of these fixes are already shipped
2. Run openclaw doctor — The doctor command catches many misconfigurations and will now warn about gateway.auth.mode="none" with remote exposure
3. Audit your exec tool config — Review your tools.exec.safeBins list and ensure tools.exec.host is set appropriately
4. Review plugin integrity — Run openclaw security audit to flag unpinned plugins, missing integrity metadata, and install-record drift
5. Check your gateway auth — Ensure gateway.auth.mode is not "none" unless you're loopback-only