OpenClaw 2026.2.12 dropped early Friday morning, and the changelog reads like a security audit report — because, effectively, it is one.

The Security Story

Forty fixes. Not forty changes that happen to touch security. Forty dedicated security patches, many submitted by external researchers who found real vulnerabilities in production deployments.

The headline items:

  • SSRF hardening across the entire URL input pipeline. Gateway and OpenResponses now enforce explicit deny policies, hostname allowlists (files.urlAllowlist / images.urlAllowlist), per-request URL input caps, and audit logging for blocked fetches. If your agent could previously be tricked into fetching internal network URLs through crafted image or file inputs — it can't anymore.

  • Prompt injection defenses. Browser snapshots, web tool outputs, and tab/console data are now wrapped as untrusted content by default. The compaction pipeline strips toolResult.details from model-facing transcripts, cutting off a replay vector that could persist injected instructions across context windows.

  • Webhook auth hardening. Constant-time secret comparison across all hook and device token verification, plus per-client auth-failure throttling with 429 + Retry-After. The BlueBubbles webhook auth bypass via loopback proxy trust (#13787) is particularly notable — @coygeek also caught a Nostr profile API remote config tampering bug.

  • Sandbox confinement. Skill sync destinations are now confined to the sandbox skills/ root. Previously, frontmatter-controlled skill names could be used as filesystem paths. Thanks @1seal.

  • Session path traversal. Transcript path resolution is hardened and unsafe session IDs are rejected, keeping operations within agent session directories.

Breaking Change

The /hooks/agent POST endpoint now rejects sessionKey overrides by default. If you use fixed hook contexts, set hooks.defaultSessionKey (recommended with hooks.allowedSessionKeyPrefixes: ["hook:"]). Legacy behavior requires explicit hooks.allowRequestSessionKey: true. This closes a session-routing attack surface flagged by @alpernae.

New Models

  • GLM-5 (Z.AI) gets expanded endpoint support with region-specific auth choices (zai-coding-global, zai-coding-cn, zai-global, zai-cn).
  • MiniMax M2.5 and M2.5-Lightning replace M2.1 as defaults, with updated model filtering.

The Cron Fix Parade

If you've ever had a cron job mysteriously skip, double-fire, or stall — this release is for you. Eight separate cron fixes address:

  • Jobs skipping when nextRunAtMs advances
  • Duplicate fires when multiple jobs trigger simultaneously
  • One bad job breaking all other jobs (now isolated)
  • One-shot at jobs re-firing after restart
  • Timer re-arming failures during execution
  • Heartbeat scheduler stalls on unexpected errors
  • Session model overrides not being honored for isolated runs

Seven different contributors. That's either impressive community effort or a sign the old scheduler was held together with hope.

Everything Else

  • IRC integration for bots (buried in the release title but not detailed in the changelog — more to come?)
  • Telegram renders blockquotes as native <blockquote> tags
  • WhatsApp gets Markdown bold/strikethrough conversion, media-only sends, and voice message MIME fixes
  • Slack defaults replyToMode to "all" and detects control commands with bot mention prefixes
  • Signal enforces E.164 validation during setup
  • Discord finally processes DM reactions and respects replyToMode in threads
  • Ollama uses the configured base URL for model discovery instead of hardcoded defaults
  • Gateway drains active turns before restart to prevent message loss, and raises WS payload limits to 5MB for image attachments
  • CLI adds openclaw logs --local-time with timezone offsets

The Takeaway

This is the kind of release that makes you retroactively nervous about what was possible before it. Forty security patches, many from external researchers, suggest OpenClaw's growing user base is attracting serious scrutiny. That's healthy — and the team's response time (4 hours from commit to release for some fixes) shows they're taking it seriously.

Update now: openclaw update run or let your self-updater handle it.