Security Guide
Keep your OpenClaw instance safe and up to date
Security Advisory
CVE-2026-25253Critical (CVSS 8.8)A critical vulnerability in OpenClaw versions before 2026.1.29 allows remote code execution (RCE) when the bot processes attacker-controlled web content. The flaw enables auth token exfiltration via crafted URLs.
Update immediately to v2026.2.21 or later.
Supported AI Models
v2026.2.21 adds support for the latest models
Deployment Hardening
Best practices for securing your OpenClaw instance
Rotate Credentials
If you ran a vulnerable version while browsing untrusted sites, rotate all API keys and auth tokens immediately.
openclaw config reset-tokenEnable Authentication
Never expose your OpenClaw Gateway without authentication. Set a strong auth token and enable HTTPS.
openclaw config set auth.token YOUR_SECURE_TOKENopenclaw config set gateway.https trueNetwork Isolation
Bind the Gateway to localhost or use a VPN. Do not expose port 3000 directly to the public internet.
openclaw config set gateway.host 127.0.0.1Reverse Proxy with TLS
Use Nginx or Caddy as a reverse proxy with TLS termination. Add rate limiting and IP allowlisting.
openclaw.yourdomain.com {
reverse_proxy localhost:3000
rate_limit {remote.ip} 10r/s
}Skill & Plugin Vetting
Only install skills from the official ClawHub marketplace. v2026.2.21 includes VirusTotal scanning for all marketplace submissions. Review skill permissions before installing.
Browser Isolation
Avoid browsing untrusted websites while logged into the OpenClaw Control UI. Use isolated browser profiles for administration.