OpenClaw Critical Security Update: v2026.2.14 Patches 3+ Vulnerabilities

Posted Feb 15, 2026

13 min read

Critical Security Update: OpenClaw v2026.2.14 🚨

Today I applied a critical security update to OpenClaw on my Hostinger VPS, patching 3+ security vulnerabilities discovered in versions up to 2026.2.13. This update also revealed (and solved!) a massive disk space issue caused by Docker layer duplication.

TL;DR:

✅ Patched 3+ security vulnerabilities (sandbox escape, symlink attack, memory bypass)
✅ Updated from v2026.2.13 → v2026.2.14
✅ Reclaimed 22GB of disk space from Docker bloat!
✅ Applied post-update security hardening (Telegram pairing mode, disabled insecure auth, fixed permissions)
✅ Total update time: 12 minutes, downtime: 2 minutes
✅ Security hardening: 25 minutes

The Security Vulnerabilities (CRITICAL!) 🔐

1. Sandbox File Tools Vulnerability

CVE: fix(security): apply tools.fs.workspaceOnly to sandbox file tools

The Problem: The workspaceOnly restriction wasn’t being enforced on sandbox file tools, allowing potentially malicious code to access files outside the designated workspace.

Impact: High - Could allow unauthorized file access in sandboxed environments

Fix Applied: Enforced tools.fs.workspaceOnly across all sandbox file operations

2. Symlink Escape Attack

CVE: fix(agents): block workspaceOnly apply_patch delete symlink escape

The Problem: The apply_patch tool had a vulnerability where symlink deletion could escape workspace boundaries, potentially allowing attackers to delete files outside the sandbox.

Impact: Critical - Could lead to system file deletion

Fix Applied: Blocked symlink escape attempts in apply_patch delete operations

3. Memory Scope Bypass

CVE: fix(memory): prevent QMD scope deny bypass

The Problem: The QMD (memory system) had a scope bypass vulnerability allowing unauthorized access to memory collections.

Impact: Medium - Could expose sensitive conversation data

Fix Applied: Fixed QMD scope resolution to properly enforce access controls

4. Discord Voice Message Hardening

CVE: fix(discord): harden voice message media loading

The Problem: Discord voice message media loading was vulnerable to certain attack vectors.

Impact: Medium - Could allow malicious media injection

Fix Applied: Hardened media validation and loading process

Why This Update Was Urgent

These vulnerabilities were discovered in January 2026 as part of a broader OpenClaw security audit. The timing follows the January 2026 API key leak crisis where exposed OpenClaw gateways leaked:

Anthropic API keys
OAuth tokens
Chat histories
Personal data

While my gateway was already secured (localhost binding, firewall protected), these code-level vulnerabilities could still be exploited through other attack vectors.

I updated within 24 hours of the release to minimize exposure window.

The Update Process

Phase 1: Quick Backup (3 minutes)

Since I had just completed a comprehensive backup during the v2026.2.13 update earlier today, I only needed a quick incremental backup:

  
# Create quick backup directory
BACKUP_DIR=~/openclaw-backup-20260215-pre-v2026.2.14
mkdir -p $BACKUP_DIR

# Backup current state
docker compose ps > $BACKUP_DIR/containers-before-2.14.txt
cp ~/openclaw/.env $BACKUP_DIR/.env.backup-pre-2.14
cp ~/openclaw/docker-compose.yml $BACKUP_DIR/docker-compose-pre-2.14.yml

Full backup from earlier (20MB config archive) remained available as primary rollback point.

Phase 2: Update Execution (5 minutes)

  
cd ~/openclaw

# Stop services
docker compose down

# Git checkout v2026.2.14
git checkout v2026.2.14

# Rebuild Docker image
docker build -t openclaw:local -f Dockerfile .

# Verify new version
docker run --rm openclaw:local node -e "console.log(require('/app/package.json').version)"
# Output: 2026.2.14 ✅

Build time: 4 minutes 48 seconds (Docker cache helped!)

Phase 3: Restart & Verification (2 minutes)

  
# Start services
docker compose up -d

# Wait for initialization
sleep 10

# Verify all containers running
docker compose ps

# Check logs for errors
docker compose logs openclaw-gateway | grep -i error
# Result: No errors! ✅

# Verify security binding intact
netstat -tlnp | grep 2404
# Result: 127.0.0.1:2404 (localhost only) ✅

All services verified:

✅ OpenClaw Gateway: v2026.2.14
✅ WhatsApp provider: +353873151465
✅ Telegram provider: @CyberRanger_bot
✅ WordPress: Running
✅ MariaDB: Healthy

Phase 4: Documentation (2 minutes)

Created update logs, saved to memory database (importance: 10 - CRITICAL!), and documented all changes.

The Disk Space Crisis! 💾

During this update, I discovered a critical disk space issue on my VPS:

BEFORE Investigation:

Disk Usage: 54GB used / 96GB total (57% full)
Docker Usage: ~58GB (!!!)
Build Cache: 30.02GB (😱)
Old Images: 28.59GB (99% reclaimable!)

The Problem: Docker Layer Duplication

Remember from my previous investigation? The OpenClaw Docker image is 6.56GB because of layer duplication:

  
# This creates a 1.72GB duplicate layer!
COPY . .
RUN chown -R node:node /app  # ❌ Duplicates entire /app!

What happens during updates:

Build new image → 6.56GB
Docker keeps old image → Another 6.56GB
Build cache accumulates → 30GB+
After 5 updates → ~58GB of Docker bloat!

At this rate, my 100GB VPS would be FULL after just a few more updates!

The Solution: Aggressive Docker Cleanup

I created a cleanup routine to run after each update:

  
#!/bin/bash
# Docker Cleanup Script

# Remove dangling images
docker image prune -f

# Remove old build cache (older than 24 hours)
docker builder prune -f --filter "until=24h"

# Remove unused containers, networks, and volumes
docker system prune -f --volumes

Results of cleanup:

BEFORE Cleanup:

Disk: 54GB used (57% full)
Docker Images: 28.59GB
Build Cache: 30.02GB
Total Docker: ~58GB

AFTER Cleanup:

Disk: 32GB used (33% full!) ✅
Docker Images: 11.41GB
Build Cache: 6.41GB
Total Docker: ~18GB

SPACE RECLAIMED: 22GB! 🎉

Breakdown of What Was Cleaned:

9.24GB - Old build cache from previous updates
14.67GB - Unused containers, volumes, and build artifacts
Total: 22GB freed!

My VPS now has 65GB free (plenty of headroom for future updates).

Key Improvements in v2026.2.14

Beyond the security fixes, this version includes:

WhatsApp Improvements

✅ Honor per-account dmPolicy overrides
- My WhatsApp account (+353873151465) now properly respects account-level DM policy settings
- Account-level settings take precedence over channel defaults

Cron Stability

✅ Skip interrupted-start replay
- Prevents VPS restart loops for jobs interrupted mid-run
- Critical for VPS stability (no more self-restarting update tasks!)

CLI Fixes

✅ Fix openclaw message send hanging
- CLI no longer hangs after successful message delivery
- Plugin hooks now run properly on exit

Agent Improvements

✅ Better tool result media delivery
- Screenshots, images, and audio now delivered regardless of verbose level
- Workspace-local image paths properly accepted

TUI Enhancements

✅ Multiple rendering fixes
- Binary-heavy history text sanitized before render
- Stream handling improved for tool boundary deltas
- Light theme contrast fixed for better readability

Docker Cleanup Best Practices

To prevent disk bloat in the future, I’m implementing these practices:

1. Run Cleanup After Every Update

# Created script at ~/scripts/docker_cleanup.sh
~/scripts/docker_cleanup.sh

This script removes:

Dangling images (from failed builds)
Old build cache (older than 24 hours)
Unused containers and volumes

Expected savings: 10-20GB per cleanup

2. Monitor Disk Usage Weekly

  
# Quick disk check
df -h / | grep "/dev/sda1"

# Docker-specific usage
docker system df

Warning threshold: 70% full (67GB used) → Run cleanup immediately

3. Consider Multi-Stage Builds (Future)

The OpenClaw Dockerfile could be optimized using multi-stage builds:

  
# Builder stage (discarded after build)
FROM node:22-bookworm AS builder
RUN pnpm install && pnpm build

# Runtime stage (much smaller!)
FROM node:22-bookworm-slim
COPY --from=builder --chown=node:node /app /app

Potential savings: Image size could drop from 6.56GB → ~2GB!

(This would require upstream Dockerfile changes, not something I can do locally)

Security Verification Checklist

After the update, I verified all security measures:

Gateway Security ✅

Binding: localhost (127.0.0.1 only)
Docker port mapping: 127.0.0.1:2404:18789
UFW firewall: Port 2404 blocked from public
Access methods: SSH tunnel or Tailscale VPN only

Code-Level Security ✅

Sandbox file tools: workspaceOnly enforced
Symlink attacks: Blocked in apply_patch
Memory scope: QMD bypass fixed
Media loading: Discord voice messages hardened

External Security Test ✅

  
# Test from external IP (should fail)
curl http://76.13.37.73:2404/
# Result: Connection refused ✅

# Test from localhost (should work)
curl http://127.0.0.1:2404/
# Result: OpenClaw Control UI loads ✅

Post-Update Security Hardening 🔒

After completing the v2026.2.14 update, I received security recommendations from Kodee at Hostinger and applied additional security hardening measures:

Security Audit Findings

Running a security audit revealed 4 configuration issues that needed immediate attention:

Issues Found:

❌ Insecure authentication enabled (allowInsecureAuth: true)
❌ Telegram open to public (dmPolicy: "open", allowFrom: ["*"])
❌ Directory permissions too open (~/.openclaw/ with wrong permissions)
⚠️ Gateway bind configuration (required careful handling)

Security Fixes Applied

1. Disabled Insecure Authentication

  
{
  "gateway": {
    "controlUi": {
      "allowInsecureAuth": false  // Changed from true
    }
  }
}

Impact: Enforces proper authentication for all gateway connections.

2. Locked Down Telegram to Pairing Mode

  
{
  "channels": {
    "telegram": {
      "dmPolicy": "pairing",  // Changed from "open"
      "allowFrom": []         // Changed from ["*"]
    }
  }
}

What This Means:

Before: Anyone could message @CyberRanger_bot and consume my Anthropic API credits!
After: Users must be manually approved via openclaw pairing approve
Verification: Logs show code=1008 reason=pairing required ✅

3. Fixed Directory Permissions

chmod 700 ~/.openclaw/
# Result: drwx------ (owner-only access)

Impact: Prevents unauthorized access to OpenClaw configuration files.

4. Gateway Bind Configuration Challenge

This one was tricky! Attempting to change the gateway bind from "lan" to "localhost" or "127.0.0.1" in openclaw.json caused config validation errors and restart loops.

The Problem:

# Container logs showed:
Config invalid
File: ~/.openclaw/openclaw.json
Problem:
  - gateway.bind: Invalid input

The Solution:

Keep "bind": "lan" in openclaw.json (only accepts specific values)
Override via .env file: OPENCLAW_GATEWAY_BIND=localhost
Docker enforces 127.0.0.1 port mapping: 127.0.0.1:2404:18789

Why This Works (Defense in Depth):

.env override: Binds gateway to localhost
Docker port mapping: Restricts to 127.0.0.1 only
UFW firewall: Blocks port 2404 from public internet
Telegram pairing: Requires manual approval for new users

Verification & Testing

Gateway Status:

docker compose ps openclaw-gateway
# STATUS: Up 5 minutes ✅
# PORTS: 127.0.0.1:2404->18789/tcp ✅

Logs Confirmation:

  
[gateway] listening on ws://0.0.0.0:18789 (PID 7)
[whatsapp] [default] starting provider (+353873151465)
[telegram] [default] starting provider (@CyberRanger_bot)
[ws] closed before connect code=1008 reason=pairing required ✅

The “pairing required” message confirms Telegram security is working!

Directory Permissions:

  
ls -ld ~/.openclaw/
# drwx------ 12 ubuntu ubuntu 4096 Feb 15 11:33 /home/ranger/.openclaw ✅

Updated Security Checklist

After post-update hardening:

Gateway Security ✅

Binding: localhost (127.0.0.1 only)
Docker port mapping: 127.0.0.1:2404:18789
UFW firewall: Port 2404 blocked from public
Access methods: SSH tunnel or Tailscale VPN only
NEW: Insecure auth disabled

Code-Level Security ✅

Sandbox file tools: workspaceOnly enforced
Symlink attacks: Blocked in apply_patch
Memory scope: QMD bypass fixed
Media loading: Discord voice messages hardened

Channel Security ✅ (NEW!)

Telegram: Pairing mode enforced
WhatsApp: Account-level DM policy respected
Directory permissions: 700 (owner-only)

External Security Test ✅

  
# Test from external IP (should fail)
curl http://76.13.37.73:2404/
# Result: Connection refused ✅

# Test from localhost (should work)
curl http://127.0.0.1:2404/
# Result: OpenClaw Control UI loads ✅

Key Lesson: Config Validation Matters

What I Learned:

OpenClaw’s config validation is strict about the gateway.bind field. It only accepts specific values (like "lan"), and attempting to use "localhost" or IP addresses directly causes validation failures.

Best Practice:

Use .env file for environment-specific overrides
Keep openclaw.json with validated default values
Let Docker enforce network-level restrictions
Rely on multiple security layers (defense in depth)

Time Investment:

Security fixes: 15 minutes
Testing & verification: 10 minutes
Total: 25 minutes well spent for peace of mind! 🎖️

What I Learned

1. Docker Requires Active Maintenance

Unlike traditional package managers that clean up after themselves, Docker accumulates everything:

Every build creates new layers
Old images aren’t auto-removed
Build cache grows indefinitely
Unused volumes persist

Lesson: Schedule regular Docker cleanup (I’m adding this to my weekly maintenance routine).

2. Layer Duplication is Expensive

The chown -R node:node /app command in the Dockerfile creates a 1.72GB duplicate layer because Docker’s copy-on-write filesystem duplicates files when metadata changes.

Better approach:

COPY --chown=node:node . .  # No duplication!

Lesson: Understanding Docker layer mechanics can save massive amounts of disk space.

3. Security Updates Deserve Priority

When security vulnerabilities are announced:

Update within 24 hours if possible
Test thoroughly but don’t delay excessively
Document everything for audit trails

Lesson: The window between disclosure and exploitation is often measured in hours, not days.

4. Monitoring Prevents Emergencies

If I hadn’t checked disk usage during this update, I might have discovered the problem when the VPS ran out of space mid-update (disastrous!).

Lesson: Proactive monitoring catches problems before they become emergencies.

Timeline & Performance

Total Update Time: 12 minutes

Phase 1 (Backup): 3 minutes
Phase 2 (Update): 5 minutes
Phase 3 (Verification): 2 minutes
Phase 4 (Documentation): 2 minutes

Downtime: 2 minutes (services stopped during update)

Docker Cleanup Time: 3 minutes (additional, but worth it!)

Disk Space Reclaimed: 22GB

Recommendations for Others

If you’re running OpenClaw on a VPS:

Immediate Actions:

Update to v2026.2.14 (critical security fixes!)
Run Docker cleanup (you’ll be shocked how much space you get back)
Verify security binding (localhost only, firewall protected)

Ongoing Maintenance:

Clean Docker after every update (prevents disk bloat)
Monitor disk usage weekly (df -h)
Keep backups before updates (rollback insurance)
Subscribe to OpenClaw security announcements

VPS Sizing:

Minimum: 50GB disk (too tight!)
Recommended: 100GB+ disk (comfortable headroom)
Monitoring: Alert at 70% full

Resources & References

OpenClaw v2026.2.14 Changelog:

Security Advisories:

Sandbox file tools vulnerability
Symlink escape attack (apply_patch)
Memory scope bypass (QMD)

Docker Documentation:

Previous Posts:

OpenClaw Update & Security Hardening: 2026.2.4 → 2026.2.13

Files & Scripts

Cleanup Script:

  
# Location: ~/scripts/docker_cleanup.sh
# Usage: ~/scripts/docker_cleanup.sh
# Run after each OpenClaw update!

Backup Locations:

Full backup: /home/ranger/openclaw-backup-20260215-074819 (20MB)
Quick backup: /home/ranger/openclaw-backup-20260215-pre-v2026.2.14

Update Logs:

VPS log: ~/OPENCLAW_UPDATE_LOG_2026.2.14.txt
Previous log: ~/OPENCLAW_UPDATE_LOG.txt (v2026.2.13)

Conclusion

This update was a triple win:

Security: Patched 3+ critical vulnerabilities (sandbox escape, symlink attack, memory bypass)
Optimization: Discovered and solved a massive disk space issue (reclaimed 22GB!)
Hardening: Applied post-update security fixes (Telegram pairing, insecure auth disabled, permissions locked down)

Key Takeaways:

Act fast on security updates (updated within 24 hours)
Docker needs active cleanup (don’t let it bloat your disk)
Monitor your infrastructure (caught disk issue before crisis)
Document everything (audit trails matter)
Defense in depth works (multiple security layers prevent single points of failure)
Config validation matters (strict validation caught invalid bind settings)

Current Status:

✅ OpenClaw v2026.2.14 (latest stable)
✅ All security vulnerabilities patched
✅ Disk space optimized (33% used, 65GB free)
✅ Security hardening intact (localhost only)
✅ Post-update hardening complete (Telegram pairing mode, insecure auth disabled)
✅ All services operational

My VPS is now:

More secure (3+ vulnerabilities patched + 4 config hardening fixes)
More efficient (22GB disk space recovered)
More stable (cron improvements, CLI fixes)
Better protected (Telegram pairing mode prevents unauthorized API usage)
Ready for the future (cleanup routine + security baseline established)

Total time invested: ~45 minutes (update + cleanup + security hardening) Value gained: Priceless security and stability! 🎖️

Rangers lead the way!

Written by David Keane (IrishRanger) with assistance from AIRanger (Claude Sonnet 4.5) Date: February 15, 2026 VPS: Hostinger KVM 2 (red-team, 76.13.37.73) OpenClaw Version: 2026.2.14

openclaw, security, critical-update

This post is licensed under CC BY 4.0 by the author.