OpenClaw 2026.2.12 Release Patches 40+ Vulnerabilities in AI Agents
2 min. read 
Published on
OpenClaw 2026.2.12 brings critical security fixes for over 40 vulnerabilities in its AI agent platform. It targets risks like exposed agents, RCE chains, and unsafe setups. Users get stronger defenses in gateways, hooks, browser controls, and more.
This update stresses defense-in-depth. Developers addressed SSRF flaws in URL handling for files and images. Gateway and OpenResponses now use deny-by-default policies with hostname allowlists and audit logs. Attackers face hurdles when trying to scan internal networks via agents.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Prompt injection risks drop too. Browser and web tool outputs count as untrusted. The system wraps and cleans them before model processing. Hooks harden with constant-time secret checks and rate limits to block brute-force attacks.
OpenClaw changelog states: “Forty dedicated security patches, many submitted by external researchers who found real vulnerabilities in production deployments.” On SSRF: “Gateway and OpenResponses now enforce explicit deny policies, hostname allowlists… If your agent could previously be tricked into fetching internal network URLs — it can’t anymore.”
LevelBlue researchers noted past issues: “The flaw results from Control UI automatically trusting a gatewayURL query… even instances bound to loopback are vulnerable.”
Key Fixes Table
| Component | Fixes Applied | Impact Blocked |
|---|---|---|
| Gateway/OpenResponses | SSRF deny policy, URL allowlists/limits | Internal scans |
| Model Pipeline | Sanitize browser/web outputs | Prompt injection |
| Hooks/Webhooks | Constant-time checks, rate limiting | Brute-force/token theft |
| Browser Control | Mandatory auth, auto-token gen | One-click RCE |
| Scheduler (Cron) | Job skip/dupe prevention | Reliability exploits ​ |
Reliability Boosts
Cron scheduler gets major patches. It stops skipped jobs, duplicates, and restart glitches. Timers re-arm properly. One bad job won’t halt others.
Gateway drains sessions safely on restart. WebSocket handles up to 5MB images. Installs auto-create auth tokens and reject missing ones.
Updated Integrations
- Discord: DM reactions, thread support.
- Mac packages now sign with SHA-256 checks.
- Telegram: Safer messages, better formatting.
- WhatsApp: Markdown and media upgrades.
- Slack: Reply and mention fixes.
- Signal: E.164 validation.
Deployment Tips
- Update via GitHub releases; verify checksums.
- SetÂ
files.urlAllowlist andÂimages.urlAllowlist. - Enable audit logs for blocked requests.
- Test browser auth in loopback mode.
| Check | Purpose | Command |
|---|---|---|
| Token Gen | Secure access | Auto on install |
| Rate Limits | Anti-brute | HTTP 429 headers |
| Logs | Audit blocks | Gateway console |
| Packages | Integrity | SHA-256 verify ​ |
FAQ
Over 40 vulns including SSRF, prompt injection, RCE in browser control.
Blocks unauthenticated loopback RCE and token leaks.
Configure URL allowlists; deny policy active by default.
Patches prevent skips/duplicates; improves heartbeats.
GitHub releases with signed Mac packages.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages