[Bug]: SECURITY ERROR on bind for remote access

[autronix]

Summary

Installed 2026.2.19 from 2026.2.17, gateway no longer starts with "bind": "lan". Running openclaw doctor --fix yields:

Error: SECURITY ERROR: Gateway URL "ws://10.11.12.13:18789" uses plaintext ws:// to a non-loopback address.
Both credentials and chat data would be exposed to network interception.
Source: local lan 10.11.12.13
Config: /home/myuser/.openclaw/openclaw.json
Fix: Use wss:// for the gateway URL, or connect via SSH tunnel to localhost.

Steps to reproduce

1. was running 2026.2.17 with bind set to lan, was able to access openclaw on the local network
2. updated to 2026.2.19 using curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s --git
3. no longer able to access openclaw on local network, doctor throws error.

Expected behavior

• blocking is fine, but correct configuration setting should be recommended for openclaw.json
• document this case

Actual behavior

• no information about how to resolve the issue and be able to start the gateway with the "insecure" configuration

OpenClaw version

2026.2.19

Operating system

Ubuntu 24.04

Install method

online bash

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

I tried setting the gateway.remote.url to wss://ip:port, but it doesn't seem to have an impact. (I see the error is triggered here

openclaw/src/gateway/call.ts

Line 158 in a1d5dce

if (!isSecureWebSocketUrl(url)) {

).

[autronix]

After digging around in the code, I noticed that in order for this to work, the following setting needs to be set: gateway.tls.enabled to true.

I was able to start the gateway and run openclaw doctor --fix without issues.

I think this is a lack of documentation problem. Specifically, there should be a note to set that setting in the config file.

[SAGEof6iixPATHS]

I have the same problem; this update broke it.
I am on raspberry pi and have not done anything to show the gateway to the public IP; I run it on a local home network.
How can I fix this for my case?

root@name:~/.openclaw# openclaw gateway status

🦞 OpenClaw 2026.2.19-2 (45d9b20) — Chat APIs that don't require a Senate hearing.

│
◇  
Service: systemd (enabled)
File logs: /tmp/openclaw/openclaw-2026-02-20.log
Command: /usr/bin/node /usr/lib/node_modules/openclaw/dist/index.js gateway --port 18789
Service file: ~/.config/systemd/user/openclaw-gateway.service
Service env: OPENCLAW_GATEWAY_PORT=18789

Config (cli): ~/.openclaw/openclaw.json
Config (service): ~/.openclaw/openclaw.json

Gateway: bind=lan (0.0.0.0), port=18789 (service args)
Probe target: ws://192.168.1.69:18789
Dashboard: http://192.168.1.69:18789/
Probe note: bind=lan listens on 0.0.0.0 (all interfaces); probing via 192.168.1.69.

Runtime: running (pid 4981, state active, sub running, last exit 0, reason 0)
Warm-up: launch agents can take a few seconds. Try again shortly.
RPC probe: failed
RPC target: ws://192.168.1.69:18789
  SECURITY ERROR: Gateway URL "ws://192.168.1.69:18789" uses plaintext ws:// to a non-loopback address.
  Both credentials and chat data would be exposed to network interception.
  Source: cli --url
  Config: /root/.openclaw/openclaw.json
  Fix: Use wss:// for the gateway URL, or connect via SSH tunnel to localhost.

Gateway port 18789 is not listening (service appears running).
Logs: journalctl --user -u openclaw-gateway.service -n 200 --no-pager

Troubles: run openclaw status
Troubleshooting: https://docs.openclaw.ai/troubleshooting

[Joe3112]

I encountered the same issue and am working on a fix, will be ready soon!

[tyler6204]

Fixed in commit 47f3979 (merged to main).

buildGatewayConnectionDetails() now always resolves local self-connections to loopback (127.0.0.1) regardless of gateway.bind, so local CLI/tool/gateway calls no longer resolve to LAN/Tailscale IPs and no longer trigger the plaintext non-loopback security guard.