OpenClaw new version prohibits AI models from enabling high-risk configurations through dialogue

ME News message, April 14 (UTC+8). According to monitoring by 1M AI News, the open-source AI Agent platform OpenClaw released v2026.4.14. Unlike the intensive feature updates from the past two weeks, this version has almost no new features. Of more than 50 fixes, about 12 directly target security hardening, making it the most concentrated recent security tightening.

The most important architectural change is tightening (restriction) the permissions for the gateway tool. Previously, AI models could modify instance configurations by calling config.patch and config.apply, including enabling high-risk flag values such as dangerouslyDisableDeviceAuth\ and \allowInsecureAuth. In the new version, such calls are directly blocked at the gateway tool level: any patch request that would newly enable dangerous flags listed in openclaw security audit is rejected. Already enabled flags are not affected, and modifications to non-dangerous configuration items proceed as usual. This means that even if the AI is induced by prompt injection, it cannot bypass the protections in the security audit checklist through conversation.

The remaining security fixes cover multiple attack surfaces:

1. Browser SSRF policies have undergone a systematic patch, fixing multiple regressions in strict mode—such as local Chrome connection being mistakenly blocked, hostname navigation being blocked, and attach-only mode detection failures—while also enforcing SSRF policies on routes such as snapshot and screenshot.
2. Slack interactive events now forcibly validate the allowFrom whitelist. Previously, block-action and modal interactions could bypass this whitelist. Microsoft Teams SSO login also added sender whitelist checks. The Feishu whitelist fixes address case-insensitive matching and user/chat namespace confusion.
3. Local attachment path parsing has been changed to reject immediately if realpath fails, preventing path traversal from bypassing the allowed-directory checks.
4. The console frontend replaced marked.js with markdown-it, fixing ReDoS freezes that could be triggered by malicious Markdown.
5. The auto-reply queue isolates the authorization context by sender identity, preventing queued messages from different senders from executing under incorrect permissions.

In terms of functionality, there are only two items: predefining the gpt-5.4-pro model definition and pricing configuration, providing forward compatibility before OpenAI officially launches; and Telegram forum topics can now display human-readable topic names instead of internal IDs.

(Source: BlockBeats)