OpenClaw 2026.2.23 — Security-First Upgrade Meets Expanded Multi‑Model AI Support

OpenClaw 2026.2.23 security illustration

OpenClaw’s 2026.2.23 release is one of those updates that signals the project maturing from a fast-moving, feature-first AI assistant into a hardened platform ready for production gateways and privacy-conscious deployments. Tagged by steipete and contributed to by dozens of maintainers, this version balances pragmatic security hardening with meaningful AI improvements: support for Claude Opus 4.6 via the Kilo gateway, improved media and provider integrations, and a set of defensive changes that reduce attack surface across SSRF, stored XSS, telemetry leakage, and risky execution paths.

Introduction

OpenClaw’s position as a local, multi-model AI hub—often deployed on macOS, Windows, or Linux as a gateway for messaging apps and personal assistants—makes its security posture critical. Users increasingly run model access and tooling in environments with private networks, sensitive keys, and long-lived sessions. 2026.2.23 deliberately addresses those operational realities: it limits implicit trust in private networks, redacts sensitive data in config and diagnostics, enforces safer execution of dynamic commands, and tightens packaging rules for user‑supplied skills and assets. For teams converting hobby deployments into production-facing gateways, these changes materially reduce risk.

Why this release matters

What’s new — security hardening (high level)

SSRF policy hardened: The browser SSRF policy now defaults to trusted-network. That shifts from permissive behavior to a safer mode that blocks unsolicited access to internal resources unless explicitly permitted. This is a breaking/default-change for some legacy deployments and reduces opportunities for remote request-forging.
Optional HTTP security headers: OpenClaw can now add standard headers such as Strict-Transport-Security (HSTS) for direct HTTPS deployments. These headers are shipped with validation, test coverage, and documentation to reduce man-in-the-middle and downgrade risks for direct-access gateways.
Session maintenance and disk controls: “openclaw sessions cleanup” introduces disk-budget controls and safer handling of conversation transcripts to prevent unbounded storage growth and accidental exposure of conversation data.
Config redaction: Snapshots and config exports redact sensitive dynamic keys (env.* and skills.env.*) while preserving restore semantics. This prevents accidental leakage of secrets during support or migration.
Execution and command safety: Obfuscated or suspicious commands now trigger explicit approval, blocking silent execution of injected payloads.
ACP client and file access restrictions: ACP client permissions now require trusted tool IDs and scoped read approvals to prevent unauthorized file access by third-party tools.
Skills packaging safety: Packaging rejects symlink escapes and blocks XSS-vulnerable prompts in image gallery outputs, mitigating common ways attackers try to escape sandboxes or craft stored XSS payloads.
OTEL diagnostics redaction: Observability exports scrub API keys and sensitive telemetry before export, closing a channel that could leak credentials to external collectors.

Breaking change and migration notes

SSRF default mode change: The move to trusted-network by default is a deliberate security posture shift. Administrators with internal workflows that rely on the previous allowPrivateNetwork behavior must explicitly opt back in or migrate legacy settings. OpenClaw includes a migration helper: openclaw doctor –fix, which will surface issues and apply automated adjustments where safe. Still, operators should test the effect in staging before flipping production.
Test and rollback plans: Because session handling, config snapshots, and redaction affect backup/restore and support workflows, implement a staged rollout: run 2026.2.23 in non-production, validate snapshot restores, and ensure automated monitoring behaves as expected before promoting.

AI and provider feature highlights

Claude Opus 4.6 via Kilo Gateway: First-class Kilo Gateway integration, with kilocode/anthropic/claude-opus-4.6 configured as a default option, including authentication flows, onboarding helpers, and caching strategies. This simplifies adopting new Anthropic models.
Provider normalization and Moonshot additions: Vercel AI Gateway now normalizes shorthand Claude references. The tools/web_search integration adds a Moonshot “kimi” provider to improve citation extraction in search results.
Media and video: Native Moonshot video support and refactored execution paths improve media understanding and ensure better header/URL precedence when fetching resources.
Agents and caching improvements: Agents can use per-agent parameter overrides for cacheRetention and bootstrap caching to limit prompt invalidation across models. Prompt caching docs were clarified to help deployments tune retention across Bedrock/OpenRouter and other backends.
Resilience fixes: The release tightens context pruning for Moonshot/Kimi providers, resolves model resolution for default fallbacks, and improves overflow detection and failover behavior for provider 502/503 responses.

Operational guidance — what teams should do next

Inventory and plan: Identify deployed OpenClaw instances and their exposure (public web, internal-only, local desktop). Note which ones rely on internal network requests or vendor integrations that might be impacted by the SSRF policy change.
Staging first: Deploy 2026.2.23 in a staging environment. Run openclaw doctor to surface migration recommendations and test snapshot/restore flows to confirm config redaction and session cleanup won’t unexpectedly break operations.
Review gateway TLS and headers: If you’re terminating TLS at the gateway or exposing a direct HTTPS endpoint, enable and validate the new HTTP security headers (HSTS) and test with your clients and reverse proxies.
Validate telemetry and observability: Confirm OTEL exports are properly redacting keys and that your monitoring pipeline still receives the necessary diagnostics without sensitive data leakage.
Reassess permissions for tools and skills: Audit ACP client permissions, trusted tool IDs, and any skill packaging you accept from third parties. Repackage or reject legacy skills that rely on symlink escapes or produce HTML prompts that could be XSS-vulnerable.
Adjust caching and agent configs: Use per-agent overrides to tune caching retention so you get the benefits of prompt cache without undesirable prompt staleness in multi-provider setups.
Update runbooks: Add rollback guidance to your release notes, and update incident response and compliance documentation to reflect redaction behavior and new session retention rules.

Developer and contributor implications

Code hygiene and tests: The release places more emphasis on validation, tests, and documentation. Contributors should model similar rigor for future features—particularly around security-related changes that affect defaults.
Packaging constraints: If you develop third-party skills or UI components, avoid relying on filesystem tricks like symlink escapes. Keep HTML outputs sanitized and consider explicit content-escaping libraries to avoid introducing XSS vectors.
Observability hygiene: When adding diagnostic fields, treat any token-like or credential-shaped values as sensitive by default and add them to redaction policies.

Risks and trade-offs

Usability vs. safety: Defaulting to trusted-network for SSRF and redacting keys from snapshots increase safety, but they introduce friction for deployments that relied on permissive defaults. The release favors a conservative security posture; operators should budget time for migration and testing.
Breaking changes require coordination: Teams that expose OpenClaw to large user bases or integrate many third-party skills will need to coordinate rolling upgrades carefully to avoid unexpected interruptions.

Conclusion

OpenClaw 2026.2.23 is a significant step toward a production-grade, privacy-forward AI gateway. By coupling new model and provider support with careful security controls—SSRF hardening, config redaction, safer execution paths, OTEL scrubbing, and packaging safeguards—the project addresses the most common risks of operating multi-model assistants in real environments. The release nudges operators to adopt safer defaults, and while some changes require migration work (notably SSRF behavior), the overall effect is a more robust platform for anyone running local AI gateways at scale.

Credits and community

Tagged by steipete and built with contributions from dozens of developers. For operators and contributors, review the release notes and migration guidance in the OpenClaw repository and run the included doctor tooling to smooth the upgrade path.

Licensed under CC BY-ND 4.0 International

Introducing Claude Opus 4.6

Claude Opus 4.6 is Anthropic’s latest Opus-class model, released February 5, 2026.…

Feb 6, 2026 · 7 min read Related

Guardian of the Red Team: How Guardian Orchestrates Gemini, GPT-4 and 19 Top Security Tools for Smarter Pentesting

Guardian is an open-source, AI-driven penetration testing framework that leverages multiple large…

Feb 19, 2026 · 4 min read Related

Urgent Patching Required: Multiple VMware Aria Vulnerabilities Enable Remote Code Execution and Privilege Escalation

VMware’s Aria Operations — a cornerstone for many organizations’ cloud and infrastructure…

Feb 24, 2026 · 5 min read Related

SYSTEM at Risk: How a Splunk DLL Search-Order Flaw Lets Local Users Escalate Privileges

Splunk is a cornerstone of many security and operations teams, trusted to…

Feb 20, 2026 · 5 min read Related