OpenClaw 2026.2.23 Release Features
Overview
Major release addressing multiple security vulnerabilities and introducing significant new features for secrets management, model support, and channel integrations.
Security Updates
External Secrets Management
New openclaw secrets workflow:
openclaw secrets audit # Scan for exposed secrets
openclaw secrets configure # Set up secret providers
openclaw secrets apply # Deploy secrets securely
openclaw secrets reload # Runtime secret rotation
Runtime Snapshot Verification
- Secret integrity checking
- Tamper detection
- Automatic rollback on verification failure
HSTS Headers
- Optional security hardening for Gateway
- HTTPS enforcement
- Protection against downgrade attacks
New Model Support
| Model | Provider | Use Case |
|---|---|---|
| Claude Opus 4.6 | Anthropic | Complex reasoning |
| Kimi K2.5 | Moonshot AI | Chinese language |
| Xiaomi MiMo-V2-Flash | Xiaomi | Edge devices |
| Gemini 3.1 | General purpose |
New Channel Plugins
- Twitch - Streaming platform integration
- Google Chat - Enterprise messaging
- DingTalk - Chinese enterprise platform
Bug Fixes
- CVE-2026-25253 (CVSS 8.8) - Auth token theft RCE
- CVE-2026-26322 (CVSS 7.6) - SSRF in Gateway
- CVE-2026-26319 (CVSS 7.5) - Missing webhook auth
- CVE-2026-26329 - Path traversal
- CVE-2026-27004 - ClawJacked vulnerability
Migration Guide
From 2026.2.x
openclaw update
openclaw secrets audit
openclaw gateway restart
Configuration Updates
Add to gateway.json:
{
"security": {
"hsts": {
"enabled": true,
"maxAge": 31536000
}
}
}
References
- OpenClaw GitHub Releases
- Cryptika Security Blog (February 24, 2026)
- Cybersecurity News (February 24, 2026)