If you’ve been running OpenClaw in production, the 2026.5.26 release is one you’ll want to read carefully. This isn’t a cosmetic update — it’s a security and stability pass that touches the core of how OpenClaw handles auth, message delivery, Codex sessions, and transcript persistence.
Let me walk you through what changed and why it matters.
Security Hardening Across the Board
This release closes a number of attack surfaces that most people never think about — until something goes wrong. Here’s what got locked down:
- Memory store injection protection: The memory store now rejects prompt-like injection attempts. If you’re storing user-generated content or external data, it can’t sneak prompt instructions past your agent’s context.
- Gateway auth rate limiting: Remote non-browser auth failures now hit default rate limits. Brute-force attempts against your gateway get throttled automatically.
- Browser snapshot SSRF validation: Snapshot URLs are validated against the SSRF policy before being fetched. No more internal network probing through browser tools.
- System-event text sanitization: Untrusted plugin and channel labels can’t spoof nested prompts in system events. This prevents a class of social engineering attacks where malicious labels could inject instructions.
- ClickClack sender allowlists: The
allowFromsender allowlists are now enforced before agent dispatch. Only authorized senders can trigger agents. - Device-token rotation hardening: RPCs from invalidated device tokens are rejected during rotation. Stolen or rotated tokens can’t be replayed.
- Tool-call text scrubbing: Serialized tool-call text is scrubbed from replies. Internal tool parameters don’t leak into user-visible output.
What This Means For You
If you’re exposing OpenClaw to external users — whether through Telegram, Discord, web chat, or custom channels — these fixes matter. The injection protections alone are worth the upgrade. You don’t want to be the person who discovers that a plugin label was used to override agent behavior. Rate limiting on gateway auth is table stakes for production deployments, and now it’s built in.
The SSRF validation on browser snapshots is particularly important if you’re using browser automation in multi-tenant setups. Without it, a crafted URL could potentially probe internal services. That door is now closed.
Faster Reply Delivery
Latency is one of those things that kills user trust slowly. You don’t notice it until someone complains that “the bot feels slow.” This release takes a machete to reply delivery latency:
- Telegram typing context preserved: Typing indicators and progress context stay alive instead of flickering in and out.
- Lazy slash-command metadata: Slash command metadata loads on demand instead of blocking the hot path.
- Model hydration deferred: Model hydration is skipped on hot paths, reducing per-turn overhead.
- Codex profiler timing flag-gated: Profiler timing in Codex only runs when explicitly enabled.
- Context compaction deferred: Maintenance compaction doesn’t block active turns.
- Delivery timing tracked: New delivery timing instrumentation lets you see exactly where time is spent.
What This Means For You
Your agents will feel snappier, especially on Telegram where the typing indicator is a big part of the perceived experience. If you’ve been profiling your agents and wondering where the latency comes from, the new delivery timing tracking will give you real data instead of guesswork.
The deferred operations — model hydration, compaction, metadata loading — mean that the critical path from “user sends message” to “user sees first token” is shorter. In practice, you should see measurable improvements in time-to-first-response across all channels.
Codex Stability Improvements
Codex has been a powerful but sometimes fragile part of OpenClaw. This release makes it significantly more robust:
- Chat history projection: Newer OpenClaw chat history is now projected into resumed app-server threads. When a Codex session resumes, it picks up where it actually left off — not where it thinks it left off.
- Turn timeout containment: Codex turn timeouts are now contained inside the Codex runtime boundary. A timeout in one Codex turn can’t poison a shared app-server client or fall through to an unrelated provider fallback. This is a big deal for reliability.
What This Means For You
If you’re using Codex for long-running tasks — code review, multi-step workflows, anything that spans multiple turns — this is the stability fix you’ve been waiting for. The timeout containment alone prevents a whole class of cascading failures where one slow Codex turn could take down unrelated sessions.
Chat history projection means that resumed sessions actually have context continuity. No more “the agent forgot what we were doing” after a resume.
Better Transcripts and User Turns
Transcript reliability is invisible when it works and catastrophic when it doesn’t. This release overhauls how user turns persist:
- CLI, WebChat, media, follow-up, hook, and Codex-mirror user turns all persist to the admitted session target.
- Text is cleaned before persistence.
- Inline images route correctly.
- Provenance metadata is preserved.
- Replay hooks are maintained.
- Fallback paths are idempotent when runtimes fail or restart.
What This Means For You
Your conversation history is now reliable. Every user turn — regardless of where it came from — gets properly persisted with the right metadata. This matters for audit trails, for conversation continuity, and for any downstream processing that depends on accurate transcripts.
The idempotent fallback paths mean that even if your runtime crashes mid-turn, the transcript doesn’t get corrupted. You can restart and pick up cleanly.
Plugin Commands and SDK Fixes
The plugin system got several important fixes:
- Plugin LLM command auth preserved: Authentication context flows correctly through plugin LLM commands.
- Native plugin command dispatch: Bound to the host agent’s LLM auth, so plugins don’t accidentally escalate or lose permissions.
- Diagnostic event exports: Discoverable through
Function.name, making debugging plugin issues easier. - Local approval resolution repaired: The approval flow that was broken in some edge cases now works correctly.
What This Means For You
If you’re writing or running custom plugins, auth context now flows correctly. No more mysterious permission errors when a plugin tries to use LLM commands. The diagnostic improvements mean you can actually see what’s happening inside plugin dispatch instead of guessing.
Gateway Performance
The gateway does less work on every request now:
- Startup-warning metadata and prepared auth stores are reused instead of rebuilt.
- Live-switch and lifecycle session caches aren’t cloned on read paths.
- Warning and scheduled-service fallback imports are deferred.
- Duplicate turn session touches are skipped.
- Session/startup/runtime CPU churn is trimmed across the board.
What This Means For You
Lower CPU usage on your gateway. If you’re running multiple agents or handling high message volume, this translates directly to better throughput and lower resource costs. The reduced cloning on read paths alone saves significant memory allocation overhead under load.
Telegram and Windows Fixes
Telegram: ENETDOWN is now treated as a transient pre-connect failure (not a fatal error). Inbound text entities, overlapping DM replies, account topic cache sidecars, outbound reply context, and targeted bot-command mentions are all properly preserved.
Windows CLI: Stack-size respawn handles stack-heavy startup paths. Local timestamps for CLI logs. Stricter timeout and banner TTY state validation.
What This Means For You
Telegram bots will reconnect more reliably on network hiccups. The entity preservation fixes mean that formatted messages, replies, and mentions all work correctly instead of getting silently stripped. On Windows, the CLI is more stable and logs are actually useful now with local timestamps.
Upgrade Guide
Update is straightforward:
npm update -g openclawOr if you’re installing fresh:
npm install -g openclawAfter updating, restart your gateway:
openclaw gateway restartNo breaking changes in this release. All configuration and plugins should work as-is.
—
The 2026.5.26 release is a solid foundation. Security, speed, and stability — the three things that matter most in production. Update when you can.
