Independent OpenClaw reporting, releases, guides, and community coverage
RSS About
Latest
OpenClaw v2026.5.26-beta.2 Brings Key Security Fixes OpenClaw in the Wild: Sales Workflows, Agent Fatigue, and ARC-AGI-3 OpenClaw v2026.5.26: Meeting Notes, Transcripts, and a Big Performance Overhaul OpenClaw iMessage Media Pipeline Gets Two Key Fixes OpenClaw 5.24 Update Explained: The Community Video Roundup OpenClaw beta.2: Voice Steering, 4,100x Speed, and iMessage Approvals
Security

OpenClaw v2026.5.26-beta.2 Brings Key Security Fixes

OpenClaw v2026.5.26-beta.2 lands with critical security patches, a new Rastermill image backend, transcript upgrades, and a smarter Discord model picker.

Filed under Security 4 min read Updated May 27, 2026
Filed under Security v2026betabrings
OpenClaw v2026.5.26-beta.2 Brings Key Security Fixes

OpenClaw shipped v2026.5.26-beta.2 early this morning, following yesterday's beta.1 with a batch of security hardening, a media backend swap, transcript improvements, and several quality-of-life upgrades across the Gateway and channels.

If you run a self-hosted instance exposed to the internet, the security section is required reading.

Security: What Changed

This release closes several real attack surfaces:

  • Memory injection blocked. The memory_store tool now rejects prompt-like text before embedding or storage (#87142), matching the existing auto-capture filter. This prevents a class of prompt-injection attacks where a crafted document could poison an agent's long-term memory.

  • Auth rate limiter on by default. Remote non-browser and HTTP Gateway auth failures are now rate-limited out of the box when gateway.auth.rateLimit is unset (#87148). The loopback exemption is preserved. Previously, brute-force attempts against unprotected gateways had no built-in throttle.

  • Browser SSRF guard. Browser snapshot tab URLs are now validated against the SSRF policy before ChromeMCP or direct CDP reads (#78526) — thanks to @zsxsoft.

  • System-event spoofing prevented. Queued system-event text is sanitized so untrusted plugin or channel labels cannot inject nested prompt markers (#87094) — thanks to @ttzero25.

  • File fetch wrapped as external content. Fetched file text and metadata is now wrapped as external content, making it harder for malicious files to masquerade as trusted instructions (#87062) — thanks to @mmaps.

  • Stale device tokens rejected. RPCs from clients whose device tokens were invalidated during rotation are now dropped rather than served (#70707).

  • ClickClack allowlists enforced earlier. allowFrom sender allowlists are now applied before agent dispatch rather than after (#83741).

In short: this is one of the more substantial security patch batches in recent beta cycles. Updating is recommended.

Media Backend: Sharp → Rastermill

OpenClaw replaces its Sharp image backend with Rastermill (#86437) for metadata reads, resizing, EXIF orientation correction, and PNG alpha-preserving optimization. This removes both Sharp and the WhatsApp Jimp fallback from the dependency tree entirely. The main user-visible benefit is smaller installs with fewer native binaries to compile or download. If you maintain a Docker image or CI pipeline for OpenClaw, you'll notice the reduction in install size.

Transcripts Are Now Core

beta.2 expands the transcript work first introduced in beta.1. User turns from the CLI, WebChat, media, follow-up messages, hooks, and Codex-mirrored flows are all now persisted to the admitted session target through a unified path. Inline image routing, provenance metadata, replay hooks, and fallback paths are kept idempotent across restarts.

This matters for anyone using OpenClaw for meeting notes, long-running sessions, or agent chains where continuity across restarts is important.

Discord: Smarter Model Picker for Large Configs

If you have a large provider config (e.g. provider/* wildcards covering 25+ models), the Discord model picker now surfaces an alpha-bucket selector — something like A–G (12) · H–N (18) · O–Z (5) — instead of paginating with prev/next buttons (release notes). For configs with hundreds of models, this gets you to the right model in one click instead of navigating through pages. Falls back to numeric chunks when all items share the same first letter.

Codex Updated to 0.134.0

The bundled Codex CLI is now pinned to 0.134.0 (#86772). Native compaction remains disabled for budget-triggered app-server turns so OpenClaw owns the recovery boundary rather than letting Codex compact on its own schedule.

Cron Gets a Sensible Default

cron.maxConcurrentRuns now defaults to 8, meaning scheduled automations and their isolated agent turns can run in parallel without any explicit config. Previously, the default effectively serialized cron jobs.

Activity Tab in Control UI

The browser Control UI gains an ephemeral Activity tab showing sanitized live tool activity summaries without persisting raw telemetry. This closes #12831 — thanks to @BunsDev.

TUI: No More Dropped Prompts

A long-standing TUI bug is fixed: prompts submitted while an agent is busy are now queued rather than silently dropped (#86722). Fast-mode status is now also shown explicitly in the status output.

How to Update

npm install -g openclaw@latest

Check the full release notes on GitHub for the complete change list, including Telegram, iMessage, WhatsApp, Android/iOS, and plugin SDK fixes.

Latest in Security

Fresh internal links from the same section help readers and crawlers keep moving through the newest security coverage.

Related OpenClaw coverage

Keep exploring the same topic cluster with nearby release notes, security context, and practical follow-up coverage.

Continue Reading

← Back to all posts Follow via RSS
Daily Briefing

Get the Open-Source Briefing

The stories that matter, delivered to your inbox every morning. Free, no spam, unsubscribe anytime.

Join 45,000+ developers. No spam. Unsubscribe anytime.