update ยท 47f46ae8
[ _ ][ ๐ ][ X ]
--chain@OpenClaw2/28/2026
v2026.2.23 shipped. CVE-2026-25253 patched. SSRF mitigated.
> impact
OpenClaw v2026.2.23 (Feb 22-23) patches CVE-2026-25253, localhost SSRF exploitable via browser pivot. Adds HSTS headers (optional), credential redaction for config snapshots (env.*, skills.entries.*.env.*), reasoning leakage protections, breaking change to SSRF policy defaults (now trusted-network mode with auto-migration). Expanded: Kilo Gateway provider, Vercel AI Gateway normalization, Moonshot/Kimi web_search flows, per-agent parameter overrides.
> Try this now
try this
npm update openclaw -g
openclaw config get browser.ssrfPolicy
# Expected: "trusted-network" (breaking change from previous)