OpenClaw's security team — led by steipete — published four advisories on April 21, 2026. All four are rated Moderate or Low, meaning none represent a critical remote code execution risk for typical self-hosted setups. But two of them touch the gateway and hooks layers, which are worth understanding clearly.
Quick verdict: Update to the latest version (npm update -g openclaw), restart your gateway, and you're patched. Read on if you want to understand what was actually fixed and whether your config was affected.
All Four at a Glance
| Advisory | Component | Severity | What It Did |
|---|---|---|---|
GHSA-7jm2-g593-4qrc |
Gateway config API | Moderate | Config mutations could overwrite protected operator settings |
GHSA-2xcp-x87w-q377 |
Hooks layer | Moderate | Hook mapping templates could bypass session-key opt-in |
GHSA-c4qg-j8jg-42q5 |
Workspace dotenv | Low | Workspace .env files could override runtime-control env vars |
| QQBot SSRF | QQBot channel | Moderate | Direct media uploads skipped URL SSRF validation |
Advisory Deep Dives
Gateway Config Mutations Could Change Protected Operator Settings
What happened: The gateway's runtime configuration mutation API — the path that lets agents or scripts modify settings on the fly — was not enforcing "protected" flag checks on a subset of operator-level keys. This meant an authenticated session (your own agent, or a script with a valid session key) could potentially overwrite configuration values that should be immutable at runtime.
Real-world risk: For single-user self-hosted setups (the typical ClawReady deployment), this is lower-risk than it sounds — you're the only one with session access anyway. The risk increases if you share your gateway with other users, run multi-tenant setups, or have skill-generated tool calls that touch config endpoints. The fix enforces the protected flag check on all mutation paths.
Check your setup: If you use openclaw config set via the agent, or have any hooks/skills that write to gateway configuration, verify those still behave as expected after updating.
Hook Mapping Templates Could Bypass Hook Session-Key Opt-In
What happened: OpenClaw hooks support a session-key opt-in — a mechanism that restricts which sessions a hook can fire into. Hook mapping templates (the variable-expansion layer that constructs hook payloads) were not honoring this restriction in all code paths. A hook configured with session-key opt-in could still be triggered into unauthorized sessions via a crafted template expansion.
Real-world risk: If you use hooks at all — and especially if you have session-key restrictions configured — this is the most relevant of the four. The attack path requires a hook with a template that an adversarial input could influence. For most personal-use setups with hardcoded hook configs, real exposure is low. The fix aligns template evaluation with the session-key opt-in check at every code path.
Check your setup: Review any hooks in your workspace that use session-key restrictions. After patching, test that those restrictions still fire correctly. Run openclaw hooks to see what's loaded.
Workspace .env Could Override OpenClaw Runtime-Control Environment Variables
What happened: If a workspace's .env file contained keys that matched OpenClaw's internal runtime-control variables (the environment variables the gateway uses to manage its own behavior — not your API keys), those values would silently win. This is a precedence bug: workspace dotenv was loaded too late in the env merge order, allowing it to overwrite vars that should be process-level only.
Real-world risk: Low in practice. Exploiting this requires write access to the workspace .env file — which an adversary with that access already has plenty of other ways to cause harm. Rated Low because the attack surface requires pre-existing workspace compromise. The fix restructures the env merge order so runtime-control vars always take priority over workspace dotenv.
Check your setup: If you have a .env file in your workspace root, scan it for any keys starting with OPENCLAW_ — those could have been silently overriding gateway behavior. Remove anything that isn't a third-party API key.
QQBot Direct Media Upload Skipped URL SSRF Validation
What happened: The QQBot channel's direct media upload path — the code that handles file/image uploads from QQBot messages — was not running the same SSRF (Server-Side Request Forgery) URL validation that the regular URL fetch path uses. This means a crafted media URL pointing at an internal address (e.g. http://169.254.169.254 for cloud metadata endpoints, or localhost services) could be fetched by the gateway without the normal block list applying.
Real-world risk: Only affects setups with QQBot channel enabled. If you're not using QQBot, you have zero exposure. For QQBot users running on cloud infrastructure (VPS, EC2, etc.), this is the most practically serious of the four — metadata endpoint SSRF is a real attack path for cloud credential theft. The fix applies the existing SSRF validation to all media upload URLs regardless of path.
Check your setup: If you have QQBot enabled, update immediately. If you don't use QQBot, no action needed beyond the standard update.
How to Patch: 3 Steps
All four vulnerabilities are fixed in the latest OpenClaw release. The patch process is the same as any routine update:
# Step 1 — Update OpenClaw globally
npm update -g openclaw
# Step 2 — Verify you're on the patched version
openclaw --version
# Step 3 — Restart the gateway
openclaw gateway restartThat's it. No config migration, no schema changes. Restart and you're done.
If you use PM2 or systemd to run the gateway: Make sure you're restarting the actual process, not just sending a reload signal. The env merge fix (GHSA-c4qg) requires a full process restart to take effect.
PM2: pm2 restart openclaw-gateway | systemd: sudo systemctl restart openclaw-gateway
Context: OpenClaw's Security Cadence
These four advisories in a single batch is consistent with OpenClaw's approach: collect moderate/low issues and publish them together to reduce advisory noise. The fact that they're all Moderate-or-below (and published proactively by the core team rather than by external researchers post-exploitation) is a healthy sign.
This week also saw the "OpenClaw" malware story (a trojan that borrows the name — see our full explainer), which is unrelated to these advisories. The legitimate framework's security posture is improving, not degrading.
For self-hosters, the pattern to develop is: watch the GitHub security page, update within a week of any moderate advisory, and update within 24 hours of anything rated high or critical.
What We Do at ClawReady
When we set up OpenClaw for clients, security maintenance is part of the service — not an afterthought. We:
- Monitor the GitHub security page and advisory feeds
- Notify clients of patch-required updates within 24 hours of moderate+ advisories
- Review hooks and workspace dotenv configs during initial setup to remove common misconfiguration patterns
- Scope channel plugins to only what each client actually uses (so a QQBot SSRF doesn't affect a Telegram-only setup)
If you've been running OpenClaw unmanaged and want a one-time config review, the $49 Security Audit covers exactly this — gateway exposure, hook config review, workspace dotenv audit, and channel plugin scope check.
Running OpenClaw unmanaged?
Get a one-time security audit. We review your gateway config, hooks setup, channel plugins, and workspace for the patterns these advisories exposed — and give you a plain-English fix list.
Book a Security Audit — $49Summary
Four advisories, all Moderate or Low, all fixed in the latest release. Update with npm update -g openclaw and restart your gateway. The only one requiring urgency is the QQBot SSRF if you're running QQBot on cloud infrastructure — patch that today.
For the three non-QQBot fixes: update this week, review your hooks and workspace dotenv, and you're covered.