OpenClaw new version prohibits AI models from enabling high-risk configurations through dialogue

ME News Report, April 14 (UTC+8), according to 1M AI News monitoring, the open-source AI Agent platform OpenClaw released version v2026.4.14. Unlike the intensive feature updates in the past two weeks, this release has almost no new features, with about 12 out of over 50 fixes directly targeting security hardening, making it the most concentrated security tightening recently.
The most significant architectural change is the tightening of permissions for the gateway tool. Previously, AI models could modify instance configurations through config.patch and config.apply, including enabling high-risk flags such as dangerouslyDisableDeviceAuth and allowInsecureAuth. The new version directly intercepts such calls at the gateway tool level: any patch requests that enable dangerous flags listed in the openclaw security audit are rejected; flags already enabled are unaffected, and modifications to non-dangerous configuration items proceed as usual.
This means that even if AI is induced by prompt injection, it cannot bypass security protections listed in the audit through dialogue.
Other security fixes cover multiple attack surfaces:

1. Browser SSRF policies have undergone a systematic patch, fixing multiple regressions such as local Chrome connection being mistakenly blocked in strict mode, hostname navigation being blocked, attach-only mode detection failure, and enforcing SSRF policies on routes like snapshot and screenshot.
2. Slack interaction events now strictly verify the allowFrom whitelist; previously, block-action and modal interactions could bypass this whitelist; Microsoft Teams SSO login also added sender whitelist checks; Feishu whitelist fixes include case-insensitive matching and namespace confusion between user/chat.
3. Local attachment path parsing now rejects realpath failures to prevent path traversal from bypassing directory checks.
4. The console frontend replaced marked.js with markdown-it, fixing ReDoS freezes triggered by malicious Markdown.
5. The auto-reply queue now isolates authorization context based on sender identity, preventing queued messages from different senders from executing under incorrect permissions.
   There are only two functional updates: preset GPT-5.4-pro model definitions and pricing configurations, providing forward compatibility before OpenAI’s official launch; and Telegram forum topics now display human-readable topic names instead of internal IDs.
   (Source: BlockBeats)