OpenClaw v2026.2.14: Sweeping Security Updates Across 50+ Vulnerabilities

Quick Brief

• OpenClaw v2026.2.14 released February 14, 2026 with 50+ security hardening fixes across platforms
• Memory-LanceDB now treats recalled memories as untrusted context to prevent prompt injection
• New features include Telegram polls, Discord voice messages with waveforms, and configurable presence
• Security improvements span webhook authentication, SSRF protection, and archive extraction hardening

OpenClaw v2026.2.14 represents the most comprehensive security and stability update released February 14, 2026. The open-source AI assistant platform that reached 196,000 GitHub stars now addresses critical vulnerabilities discovered across messaging integrations, memory systems, and sandbox operations. This release delivers sweeping updates from messaging platform enhancements to improved debugging, media handling, and sandbox reliability.

Critical Security Patches

Memory System Hardening

The Memory-LanceDB integration received critical security improvements to prevent prompt injection attacks. Recalled memories now undergo untrusted context treatment with escaped injection text and explicit non-instruction framing. The system skips likely prompt-injection payloads during auto-capture and restricts automatic capture to user messages only.

Auto-capture functionality now requires explicit autoCapture: true opt-in, with the default changed to disabled. This prevents automatic personally identifiable information capture unless operators intentionally enable it. OpenClaw prioritized this change after security researchers identified memory-poisoning risk vectors through automated content collection.

Media and Archive Security

URL-backed media fetches now stream with bounded limits to prevent memory exhaustion from oversized responses. The system rejects oversized base64-backed input media before decoding to avoid large memory allocations. These changes address resource exhaustion attacks identified during external security audits.

Archive extraction received hardened security across skills installation and hook systems. The platform enforces entry and size limits to prevent resource exhaustion from high-expansion ZIP and TAR archives. Path traversal protections now prevent extraction outside target directories for download-installed skills.

Also Read The Eternal September Has Arrived in Open Source And GitHub Just Launched Its Solution

Platform-Specific Security Improvements

BlueBubbles Integration

BlueBubbles webhook authentication underwent significant hardening behind reverse proxies. The system now accepts passwordless webhooks only for direct localhost loopback requests. Forwarded or proxied requests require password authentication to prevent unauthorized access.

The release rejects ambiguous shared-path webhook routing when multiple targets match the same GUID and password combination. Local outbound media path reads now require explicit mediaLocalRoots allowlists to prevent local file disclosure.

Telegram Security

Telegram webhook startup now requires webhookSecret configuration. Missing or empty secrets trigger rejection to prevent unauthenticated webhook request forgery. The platform switched webhook callback timeout handling to onTimeout: "return" with 10-second limits. Long-running update processing no longer emits webhook 500 errors and retry storms.

Authorization controls transitioned from username-based to numeric sender IDs. The system rejects @username principals for allowlist authorization while openclaw doctor --fix auto-resolves usernames to numeric IDs when possible.

Slack and Discord

Slack DM slash commands now compute authorization even when dmPolicy=open. This prevents unauthorized users from running privileged commands via direct messages. Discord voice message media loading received SSRF and allowed-local-root checks. Tool-supplied paths and URLs can no longer probe internal URLs or read arbitrary local files.

New Messaging Features

Telegram Poll Support

Telegram channels gained poll sending functionality through openclaw message poll commands. Users control duration in seconds, silent delivery options, and anonymity settings. The feature addresses long-standing community requests for interactive polling within Telegram workflows.

Discord Enhancements

Discord now sends voice messages with waveform previews from local audio files. Silent delivery support accompanies this feature for noise-sensitive environments. Configurable presence status and activity settings allow custom status defaults to activity text.

Execution approval prompts can target specific channels or both DM and channel simultaneously through channels.discord.execApprovals.target configuration. Debug logging for message routing decisions improves troubleshooting with --debug flag tracing.

Cross-Platform Improvements

DM Policy Standardization

Slack and Discord received unified DM access control through dmPolicy and allowFrom configuration aliases. Legacy dm.policy and dm.allowFrom keys remain supported while openclaw doctor --fix migrates configurations automatically. WhatsApp now honors per-account dmPolicy overrides with account-level settings taking precedence over channel defaults.

Sandbox Configuration

Browser-container bind mounts gained separate configuration through sandbox.browser.binds. This isolates browser container mounts from execution container configurations for improved security boundaries. File tools now recognize bind-mount paths including absolute container paths while enforcing read-only semantics for writes.

CLI and Developer Experience

Message Sending Improvements

CLI plugin commands now exit after successful delivery across plugin-backed channels. One-shot sends no longer hang after message delivery completion. Registered plugin gateway_stop hooks run before openclaw message exits on both success and failure paths. Plugin-backed channels can clean up one-shot CLI resources properly.

Cron System Stability

Cron jobs deliver text-only output directly when delivery.to is set. Recipients receive full output instead of truncated summaries. The system preserves agent identity including name and icon when cron jobs deliver outbound messages.

Maintenance operations prevent silent skipping of past-due recurring jobs by using recompute semantics. Update operations repair missing or corrupt nextRunAtMs values for updated jobs without globally recomputing unrelated scheduled tasks. Startup processing skips missed-job replay for jobs interrupted mid-run to prevent restart loops for self-restarting tasks.

TUI Enhancements

Terminal Interface Improvements

The text user interface resolves local gateway target URLs from gateway.bind mode instead of hardcoded localhost. TUI connects successfully when gateway uses non-loopback configurations. Explicit --session flags are honored even when session.scope is global. Named sessions no longer collapse into shared global history inappropriately.

Terminal width utilization improved for session name display in searchable select lists. The interface preserves in-flight streaming replies when concurrent runs finalize. Pre-tool streamed text remains visible when subsequent tool-boundary deltas temporarily omit earlier text blocks.

Rendering Reliability

ANSI and control-heavy history text undergoes sanitization. Binary-like lines receive redaction while pathological long unbroken tokens split before rendering. These changes prevent startup crashes when processing binary attachment history. Render-time sanitization hardens for narrow terminals by chunking moderately long unbroken tokens.

Assistant body text now renders in terminal default foreground color instead of fixed light ANSI colors. Contrast remains readable on light themes including Solarized Light.

Agent and Workspace Updates

Media Handling

The system accepts MEDIA:-prefixed paths with lenient whitespace handling when loading outbound media. This prevents ENOENT errors for tool-returned local media paths. Tool result media including screenshots, images, and audio deliver to channels regardless of verbose level settings.

Image tool workspace-local paths work correctly by including active workspace directories in local media allowlists. Sandbox-validated paths are trusted in image loaders to prevent false “not under an allowed directory” rejections. The effective workspace root propagates into tool wiring so workspace-local image paths are accepted by default.

Session Management

Gateway sessions abort active embedded runs and clear queued work before sessions.reset operations. Unavailable status returns if runs do not stop within timeout limits. Transcript path resolution hardens for mismatched agent contexts by preserving explicit store roots. Safe absolute-path fallback ensures correct agent sessions directory access.

Model and Provider Support

New Model Integration

GLM-5 from Z.AI receives synthetic catalog support in the agent system. Ollama integration improves base URL handling for streaming connections. The system avoids forcing tag enforcement for Ollama models which previously suppressed output.

Memory System Optimizations

QMD (Query Memory Database) performance received multiple improvements. The system queries indexes using exact document ID matches before falling back to prefix lookup. Result limits pass to search and vsearch commands enabling earlier result capping. Multi-collection query ranking runs one qmd query -c per managed collection with score-based merging.

File reading avoids loading full markdown files when specific from/lines windows are requested. Sync operations skip rewriting unchanged session export markdown files to reduce disk churn. Result JSON parsing becomes resilient to noisy command output by extracting the first JSON array from stdout.

Security Audit Findings

Windows Command Injection Prevention

Windows installations avoid shell invocation when spawning child processes. This prevents cmd.exe metacharacter injection through untrusted CLI arguments including agent prompt text. Process cleanup scopes to owned child PIDs only to avoid killing unrelated processes on shared hosts.

Path Traversal Protections

The apply_patch tool enforces workspace-root path bounds in non-sandbox mode. Traversal and symlink escape writes are blocked. Symlink-escape checks apply to delete hunks under workspaceOnly mode while allowing symlink deletion itself. macOS installations prevent shell injection when writing Claude CLI keychain credentials.

Network Security

SSRF guard improvements block full-form IPv4-mapped IPv6 literals. This closes loopback, private network, and metadata service access bypasses. Tool-supplied gateway URL overrides restrict to loopback or configured gateway.remote.url addresses. Browser control file upload and download helpers harden against path traversal and local file disclosure.

Platform-Specific Fixes

Signal Integration

Signal preserves case-sensitive group target IDs during normalization. Mixed-case group IDs no longer fail with “Group not found” errors. Archive extraction during signal-cli installation hardens to prevent path traversal outside install roots.

LINE Platform

LINE integration returns 200 OK responses for Developers Console “Verify” requests with empty events arrays and no X-Line-Signature header. Real message deliveries still require signature verification maintaining security posture.

Google Chat and Other Services

Google Chat deprecates users/ allowlists treating users/... as immutable user IDs only. Raw email allowlists remain supported for usability. Webhook routing rejects ambiguous shared-path scenarios when multiple targets verify successfully.

Feishu media URL fetching hardens against SSRF and local file disclosure. Zalo rejects ambiguous shared-path webhook routing for matching secrets. Nostr requires loopback sources and blocks cross-origin profile mutation attempts.

Long-Running Gateway Stability

Memory Leak Prevention

Multiple subsystems received unbounded growth protection. Diagnostic session state entries undergo pruning with tracked session state caps. Gateway memory cleanup includes agentRunSeq tracking on run completion with maintenance-time cap pruning.

Auto-reply abort memory bounds with oldest-entry eviction. Slack thread-starter cache uses TTL and max-size pruning. Outbound directory cache implements max-size eviction with proactive TTL pruning. Skills systems remove disconnected nodes from remote-skills cache.

Installation and Update

How do you install OpenClaw v2026.2.14?

Existing users run openclaw update run from the command line for automatic updates. The self-updater downloads binaries, applies database migrations, and restarts services. New installations require Node.js and Python environments with repository cloning from GitHub.

The CLI adds openclaw logs --local-time for timezone-aware log viewing. This simplifies debugging authentication and integration issues with timestamps matching local clocks instead of UTC.

Who Should Update Immediately

Production deployments with internet-facing messaging integrations should prioritize this update. The memory-poisoning vulnerabilities in LanceDB auto-capture and webhook authentication weaknesses create exploitable attack surfaces. Organizations using OpenClaw for customer support, internal tools, or automated workflows face the highest risk exposure.

Self-hosted installations without external platform integrations benefit from stability improvements with lower immediate security urgency. Local-only assistants gain crash prevention and resource exhaustion protections without critical vulnerability exposure.

Development and Community

Contributor Recognition

The release credits over 80 community contributors who identified bugs, submitted patches, and reported security vulnerabilities. External security researchers including @1seal, @p80n-sec, @yueyueL, @vincentkoc, @christos-eth, @aether-ai-agent, and @simecek received acknowledgment for responsible disclosure.

Project Growth

OpenClaw maintains 614 contributors with 196,000 GitHub stars as of February 2026. The project welcomes bug reports, security findings, integration development, and documentation improvements through GitHub. The four-hour average turnaround from security commit to release demonstrates maintainer responsiveness.

Known Limitations

OpenClaw requires technical proficiency for deployment and maintenance. Users manage Node.js dependencies, configure environment variables, and troubleshoot platform-specific issues. Self-hosted infrastructure means operators handle backups, updates, and security monitoring independently.

Model costs vary based on provider selection. OpenAI GPT and Anthropic Claude incur per-token charges accumulating with usage. Local models through Ollama eliminate ongoing costs but require capable hardware and may sacrifice response quality.

Also Read AI Builds Functional Apps in Hours With Replit Agent 3

Frequently Asked Questions