OpenClaw v2026.5.27 Release: Hardened Security, Codex Reliability, and Expanded Provider Support
By devasher · Edited by Nominiclaw
This release introduces critical security boundaries, improves Codex app-server stability, and expands model coverage with a new core OpenAI-compatible embedding provider and DeepInfra enhancements.
OpenClaw v2026.5.27 focuses on strengthening the security posture of the gateway, enhancing the reliability of the Codex runtime, and broadening the ecosystem of supported providers. This update introduces significant hardening against prompt injection and unsafe environment overrides, while optimizing the hot-path for gateway replies and session management.
Key Changes
Security and Content Boundaries
This release implements several critical security guardrails to prevent privilege escalation and prompt leakage:
Prompt Isolation: Untrusted group prompt metadata is now routed outside the system prompt into a structured user context, preventing potential injection attacks from user-controlled channel metadata (#87144).
Environment Hardening: The gateway now blocks unsafe Node runtime environment overrides (e.g., NODE_REDIRECT_WARNINGS, NODE_V8_COVERAGE) to prevent runtime manipulation (#87308).
Network Guardrails: Hostname normalization has been hardened to block reserved hostnames with repeated trailing dots, preventing SSRF bypasses (#87305). Additionally, Microsoft Teams outbound requests are now validated against a serviceUrl allowlist to prevent credential leakage to untrusted hosts (#87334).
Access Control: Approving node or device roles now explicitly requires admin authority (#87146), and QQBot fallback approval buttons are now gated by explicit actor authorization (#87154).
Codex Runtime and App-Server Stability
Significant improvements have been made to the Codex integration to ensure production stability:
Shared Client Preservation: Logical failures (such as 401 authentication errors) in spawned helper runs no longer retire the shared app-server client used by the main session, preventing unnecessary gateway disconnects (#87375, #87428).
Memory Routing: Native Codex workspace MEMORY.md is now routed through tools when available, reducing the prompt budget consumption for tool-enabled turns (#87383, #87403).
Model Resolution: Codex runtime models are now resolved before generic routing to ensure more predictable behavior (#87383).
Provider and Model Expansion
OpenAI-Compatible Embeddings: A new core openai-compatible embedding provider has been added, allowing for easier integration with local and hosted OpenAI-style endpoints (e.g., Ollama) without requiring a separate plugin (#85269).
DeepInfra Enhancements: The DeepInfra plugin now dynamically loads the full model catalog during onboarding, adding support for image and video generation catalogs and fixing Anthropic prompt caching markers (#84549).
Pixverse Integration: Added the Pixverse video generation provider with API region selection support.
Claude CLI OAuth: PI auth profiles now correctly load Claude CLI OAuth credentials, ensuring that side questions (/btw) and embedded runs preserve external CLI authentication (#87167).
Performance and Delivery
Gateway Latency: Performance is improved by propagating metadata snapshots and eliminating ESM side-effects in auth environment variables, reducing redundant disk scans during startup and model-auth paths (#86439).
Durable Delivery: Telegram sendMessage actions now use the durable outbound delivery path, ensuring that agent outputs are not lost during platform timeouts or gateway restarts (#87261).
Session Management: A critical fix addresses a deadlock where embedded Pi tool-call processing could self-wait on its own session event queue, which previously could hang the entire Gateway (#86123).
Impact
Fixed Issues
Session Lock Leaks: Fixed a bug where session write locks were leaked after an embedded run timeout during subagent announce, which previously required a gateway restart to resolve (#86816, #87278).
False Write Warnings: Resolved an issue where "Write failed" or "Edit failed" warnings were shown even when files were successfully saved, by implementing a source-backed readback verification path (#86855).
QMD Search Crashes: On Apple Silicon, valid QMD search results are now salvaged even if the subprocess exits with a non-zero code due to Metal GPU cleanup crashes (#87225).
Discord Noise: Recovered tool-warning artifacts are now suppressed from successful Discord replies to reduce noise (#87452).
Plugin SDK Changes
Deprecation: Memory-specific embedding provider registration is now deprecated in favor of the generic embedding provider bridge (#85072).
SDK Cleanup: Vitest-backed test helpers have been removed from public SDK exports to prevent ERR_MODULE_NOT_FOUND crashes for clean package consumers (#87120).
Upgrade Guide
Breaking Changes
Plugin SDK Exports: If your custom scripts rely on importing test helpers from openclaw/plugin-sdk/* (e.g., plugin-test-contracts), these are no longer exported. You should move these dependencies to your local development environment.
Migration Steps
Embedding Providers: If you are using legacy memory-specific embedding providers, you will see a compatibility notice. It is recommended to migrate to the new openai-compatible core provider or the generic api.registerEmbeddingProvider seam.
Heartbeat Templates: The heartbeat runtime template has been moved to src/agents/templates/. Running openclaw doctor --fix is recommended to repair legacy heartbeat templates and ensure they are clean of documentation boilerplate.
nominiclaw