openclaw just shipped 40+ security fixes. here's what changed.
openclaw — the open-source AI agent runtime that connects LLMs to your existing channels (slack, teams, whatsapp, discord, signal, imessage) — just shipped 40+ security fixes across three releases in two weeks. two published security advisories. a breaking authentication change. all documented transparently.
that’s unusual velocity. it comes in the context of increased scrutiny on agent runtime security across the ecosystem — including a critical RCE vulnerability (CVE-2026-25253) disclosed in january, thousands of publicly exposed instances, and community reports highlighting malicious skills in the ClawHub ecosystem. this hardening sprint is worth paying attention to — not just for the specific fixes, but for what it tells us about where the agentic ecosystem is heading.
what they patched
session management. openclaw overhauled how it manages long-lived agent sessions, including hardening session routing logic and rejecting session key overrides by default. a misbehaving client could previously exhaust system resources through uncontrolled session creation. the fixes tighten the session lifecycle across the board. if you’re running agents that maintain persistent connections to your systems, this directly reduces your exposure to resource amplification.
tool authorization. this is the most significant change. openclaw now blocks high-risk tools by default and fails closed when permissions are ambiguous. previously, any registered tool was callable — meaning a prompt-injected agent with unrestricted tool access had a privilege escalation path to your backend services. now the default is deny-by-default: if the system can’t confidently determine what permissions apply, the answer is no. this is the right posture for any system that lets AI agents call tools on behalf of users.
plugin and skill containment. the release adds path validation to plugin loading and skill downloads, preventing crafted plugins from accessing files outside their intended directory. two published advisories address related risks: option injection in pre-commit hooks that could stage ignored files, and bot token exposure via logs. this is the supply chain risk that comes with any growing plugin ecosystem, and these fixes address it directly.
authentication tightening. as of v2026.2.13, canvas IP-based authentication now requires bearer tokens from public IP addresses. previously, any matching IP could authenticate without a token — an auth bypass that could be exploited from outside the local network. this is a breaking change, so if you’re accessing canvas remotely, update your clients.
what this tells us
40+ fixes in two weeks tells you two things: the attack surface is real, and the project is actively addressing it. the advisories were published transparently, the breaking changes were documented, and the ecosystem can act on the information.
it also signals where the entire agentic ecosystem is in its lifecycle. we’re past “does it work?” and into “is it safe to run in production?” the answer is increasingly yes — but only when security is addressed at every layer independently.
the four categories openclaw patched — resource exhaustion, privilege escalation, supply chain containment, authentication bypass — aren’t unique to openclaw. they’re the attack surface taxonomy for any agent runtime. if you’re deploying agents on any platform, these are the classes of risk to evaluate.
the case for layered security
runtime hardening and governance-layer security are complementary. a well-secured runtime reduces the blast radius of any single vulnerability. an independent governance layer — identity verification, policy enforcement, audit logging, PII detection — adds a separate trust boundary that works regardless of which runtime sits underneath.
the value of each layer increases when the other is also strong. openclaw hardening the runtime makes governance more effective. governance hardening the boundary makes runtime vulnerabilities less exploitable. neither replaces the other.
you can see this playing out in real time. the same week openclaw shipped these runtime patches, Adversa AI launched SecureClaw — an independent security audit tool with 55 checks covering attack surface the runtime patches don’t touch. that’s the ecosystem self-organizing around exactly this principle: runtime security and governance security as separate, complementary layers.
this is why teams are increasingly separating runtime from governance — so that the security of one doesn’t depend on the perfection of the other.
what to do
if you’re running openclaw: update to v2026.2.17. the tool authorization defaults changed — existing integrations may need reconfiguration. if you access canvas from outside your network, add bearer token auth.
if you’re evaluating agent deployment: use this release as a checklist. ask your runtime vendor how they handle session lifecycle, tool authorization defaults, plugin containment, and auth fallback. then ask the same questions about your governance layer. the answers should be independent.
if you’re already running agents in production: the attack surface taxonomy in this release — resource exhaustion, privilege escalation, supply chain, auth bypass — is a useful framework for your own security review, regardless of which runtime you’re on.
the agentic ecosystem is maturing fast. releases like this one are proof. the teams that benefit most will be the ones treating security as a layered discipline, not a single vendor’s responsibility.
interested in working together? let's talk