$git log --oneline
2026.2.25PATCH⚠ BREAKINGπŸ›‘ SECURITYReleased: 2026-02-25

🚨 URGENT: This release includes high-severity security patches. All users should upgrade immediately.

Critical Security Patch + Android Startup Improvements

/** High-severity security patch addressing multiple CVE-level vulnerabilities. Android gets major startup performance improvements. */

security_fixes.md

πŸ”’ Security Fixes (High Severity)

πŸ›‘Gateway WebSocket auth: enforced origin checks for browser WebSocket clients beyond Control UI/Webchat
πŸ›‘Gateway trusted proxy: required operator role for Control UI trusted-proxy pairing bypass
πŸ›‘macOS beta onboarding: removed Anthropic OAuth path that exposed PKCE verifier via OAuth state
πŸ›‘Microsoft Teams file consent: bound fileConsent/invoke upload acceptance to originating conversation
πŸ›‘Workspace FS: rejected hardlinked aliases in workspaceOnly and applyPatch boundary checks
πŸ›‘Node exec approvals: hardened system.run exec against symlink cwd paths and canonicalized path-like argv
πŸ›‘Signal: enforced DM/group authorization before reaction-only notification enqueue
πŸ›‘Discord reactions: enforced DM policy/allowlist authorization before reaction-event system enqueue
πŸ›‘Slack reactions + pins: gated reaction_* and pin_* system-event enqueue through shared sender authorization
breaking_changes.md

⚠ Breaking Changes

⚠Heartbeat direct/DM delivery default is now 'allow' again. Set agents.defaults.heartbeat.directPolicy: 'block' to restore blocked behavior.
new_features.md

✨ What's New

Android Streaming Improvements

Improved streaming delivery handling and markdown rendering quality in the native Android chat UI, including better GitHub-flavored markdown behavior.

Android Startup Performance

Deferred foreground-service startup, moved WebView debugging init out of critical startup path, added startup macrobenchmark and low-noise perf CLI scripts for deterministic cold-start tracking.

Mobile Compose Layout

Added mobile stacked layout for compose action buttons on small screens to improve send/session controls usability on phones.

upgrade.sh

πŸ“¦ Upgrade to 2026.2.25

$ npm install -g openclaw@2026.2.25
← Previous:
2026.2.24 β€” Android App + Heartbeat
All Releases β†’