2026.2.25-beta.1PATCH⚠ BETAReleased: 2026-02-24

Beta Preview: Security Patches

/** Beta preview of the critical security fixes shipping in 2026.2.25 stable. */

⚠ Beta release — not recommended for production. Upgrade to 2026.2.25 stable when available.

security_preview.md

✨ Security Patches in this Beta

Gateway WebSocket Auth Hardening

Enforced origin checks for browser WebSocket clients beyond Control UI/Webchat. Password-auth failure throttling applied to browser-origin loopback attempts.

Microsoft Teams File Consent Binding

fileConsent/invoke upload acceptance/decline bound to originating conversation, preventing cross-conversation upload injection via leaked uploadId values.

Workspace FS Hardlink Rejection

Rejected hardlinked workspace file aliases in workspaceOnly and applyPatch boundary checks to prevent out-of-workspace read/write via in-workspace hardlink paths.

Signal Reaction Authorization

Enforced DM/group authorization before reaction-only notification enqueue so unauthorized senders cannot inject Signal reaction system events.

install_beta.sh

📦 Try the Beta

$ npm install -g openclaw@2026.2.25-beta.1

← Previous:

2026.2.24 — Android App + Heartbeat

All Releases →