Get in touch

OpenClaw Automatic Updates

OpenClaw Automatic Updates Guide — Stay Patched, Stay Safe (2026) 🔄 Updates Guide Keep OpenClaw Automatically Updated When CVE-2026-25253 dropped, patched users were safe within minutes. Unpatched instances stayed vulnerable…

OpenClaw Automatic Updates Guide — Stay Patched, Stay Safe (2026)
🔄 Updates Guide

Keep OpenClaw Automatically Updated

When CVE-2026-25253 dropped, patched users were safe within minutes. Unpatched instances stayed vulnerable for weeks. Automate updates — it takes 10 minutes to set up once.

Why This Matters

The Update Problem in Real Numbers

Self-hosted OpenClaw means security is your responsibility. Here’s what the data shows.

17,500+
Exposed instances found unpatched days after CVE-2026-25253 disclosure
~4 hrs
Median time for managed hosts to patch fleet-wide after disclosure
10 min
Time to set up automated weekly updates on your self-hosted VPS
Step-by-Step

Create the Automated Update Script

This script pulls the latest OpenClaw Docker image, restarts the container if the image changed, and logs the result.

Step 1: Create the update script

~/openclaw/update.sh
#!/bin/bash # OpenClaw Auto-Update Script # Pulls latest image, restarts if changed, logs result set -e LOGFILE=~/openclaw/update.log TIMESTAMP=$(date ‘+%Y-%m-%d %H:%M:%S’) echo “[$TIMESTAMP] Starting OpenClaw update check…” >> $LOGFILE cd ~/openclaw # Pull latest image and capture output PULL_OUTPUT=$(docker compose pull 2>&1) if echo “$PULL_OUTPUT” | grep -q “Pull complete\|Downloaded newer image”; then echo “[$TIMESTAMP] New image found — restarting…” >> $LOGFILE docker compose up -d docker image prune -f echo “[$TIMESTAMP] Update complete.” >> $LOGFILE else echo “[$TIMESTAMP] No update needed — already on latest.” >> $LOGFILE fi

Step 2: Make it executable

chmod +x ~/openclaw/update.sh

Step 3: Test it manually first

~/openclaw/update.sh && tail -5 ~/openclaw/update.log
Snapshot Before Updating (Optional but Recommended)

Take a VPS snapshot before major OpenClaw version updates. Most providers (Hostinger, DigitalOcean, Contabo) offer snapshots from the control panel. A snapshot means you can roll back instantly if an update breaks something.

Scheduling

Schedule with Cron

Set the update script to run automatically every Sunday at 3 AM — low-traffic time, weekly cadence matches OpenClaw’s release rhythm.

Open your crontab

crontab -e

Add these lines

# Run OpenClaw update every Sunday at 3 AM 0 3 * * 0 /home/openclaw/openclaw/update.sh # Also update system packages weekly (Sunday at 3:30 AM) 30 3 * * 0 sudo apt update && sudo apt upgrade -y >> ~/openclaw/sysupdate.log 2>&1 # Rotate logs monthly (first day of month at 4 AM) 0 4 1 * * truncate -s 0 ~/openclaw/update.log

Verify the cron job is registered

crontab -l
Adjust the Path for Your Setup

Replace /home/openclaw/openclaw/ with the actual path where you installed OpenClaw. If you’re running as root, it’s likely /root/openclaw/. Verify with echo ~/openclaw while logged in as your user.

Notifications

Get Notified When Updates Run

Know what happened without checking logs manually — send update results straight to your Telegram bot.

Enhanced update.sh with Telegram notification
#!/bin/bash # OpenClaw Auto-Update with Telegram notification LOGFILE=~/openclaw/update.log TIMESTAMP=$(date ‘+%Y-%m-%d %H:%M:%S’) BOT_TOKEN=“your-telegram-bot-token” CHAT_ID=“your-telegram-chat-id” cd ~/openclaw PULL_OUTPUT=$(docker compose pull 2>&1) if echo “$PULL_OUTPUT” | grep -q “Pull complete\|Downloaded newer image”; then docker compose up -d && docker image prune -f MSG=”✅ OpenClaw Updated — New image deployed at $TIMESTAMP” echo “[$TIMESTAMP] Updated.” >> $LOGFILE else MSG=”ℹī¸ OpenClaw check at $TIMESTAMP — already on latest, no changes.” echo “[$TIMESTAMP] No update.” >> $LOGFILE fi # Send to Telegram curl -s -X POST “https://api.telegram.org/bot$BOT_TOKEN/sendMessage” \ -d “chat_id=$CHAT_ID&text=$MSG” > /dev/null

Replace your-telegram-bot-token with the token from @BotFather and your-telegram-chat-id with your personal chat ID (get it from @userinfobot).

Verification

How to Verify You’re on the Latest Version

  • Check the running image tag
    docker inspect openclaw | grep -i image
  • Compare to latest on Docker Hub
    Visit hub.docker.com/r/openclaw/gateway/tags and compare your tag to the latest
  • Check OpenClaw GitHub releases
    github.com/open-claw/openclaw/releases — enable “Watch → Releases only” for email alerts on new versions
  • Check your update log
    tail -20 ~/openclaw/update.log
  • Ask your agent directly
    Message OpenClaw: “What version are you running?” — it can report its own build info
After a Major Update: Always Test

After any version bump, send a few test messages across all connected channels before trusting the agent with automations. Check Docker logs for errors: docker logs openclaw --since 1h. If something broke, roll back to your snapshot.

Updates Automated — You’re Protected

With automated updates and the security hardening guide in place, your OpenClaw instance is running production-grade.

Security Hardening Guide Backup & Recovery Guide →