Deep dive
OpenClaw 2026.5.26 Update: Security Overhaul, Durable Transcripts, Voice SDK
OpenClaw's May 26, 2026 release is described by the team as focused on "faster gateway and reply paths, more reliable transcripts, broader channel support, stronger security boundaries, and improved observability." This video breaks all of that down into plain English — including seven specific security fixes that every OpenClaw user should know about.
"OpenClaw 2026.5.26 Update Just Dropped..." by Julian Goldie SEO — Watch on YouTube →
Key Takeaways
- The gateway now caches plugin metadata, package paths, model cost indexes, and channel resolution — eliminating the redundant re-scanning that was slowing every request.
- Seven security fixes shipped in this release, including SSRF protection on browser snapshot URLs, prompt-injection guards on file reads, and an always-on auth rate limiter.
- Transcripts are now routed through a single reliable path — enabling a new real-time meeting-notes feature that survives agent restarts mid-session.
- A shared voice SDK now backs all voice services (Discord, Google Meet, browser talk, gateway talk), fixing bugs that were only getting patched in some implementations.
- Sharp (the image processing library that frequently failed on ARM and Linux setups) has been replaced with Raster Mill — cleaner installs, fewer dependencies.
The seven security fixes, and what each one blocks
This release ships seven targeted security improvements. All seven apply automatically once you update — there's nothing to configure — but it's worth understanding what each one closes, especially if your agent reads untrusted content or is reachable remotely.
| Fix | What it blocks |
|---|---|
| Browser snapshot URLs validated against SSRF policy before any read | A malicious site your agent visits tricking it into requesting internal/private endpoints (server-side request forgery). |
| System event text sanitized so plugin/channel labels can't inject prompt markers | A bad actor planting fake instructions via a crafted channel name or plugin label. |
| Fetched file text + metadata wrapped as external content | Prompt injection through files: the model now treats file contents as data, not instructions. |
| Click-Clack sender allow-list runs before agent dispatch | A stranger spoofing a sender identity to issue commands over the cross-agent protocol. |
| Stale device tokens rejected during rotation | An old, invalidated session still issuing commands during the rotation window. |
| Memory-store tool rejects prompt-like text before embedding | A hidden instruction being planted in the agent's long-term memory through a crafted input. |
| Default auth rate limiter for remote gateway failures now on by default | Brute-force attempts against your gateway — limited out of the box, no config needed. |
Credit in the release notes to community security researchers who reported several of these. The takeaway: update to get all seven, and review the cross-platform security center if your agent handles real credentials.
Channel and Voice Improvements
Telegram now correctly keeps typing indicators and progress context inside forum topics. iMessage attachment routes are fixed, and duplicate local message de-duplication is improved. WhatsApp group and media behavior is restored after regressions in earlier releases. Signal, iMessage, and WhatsApp all now support reaction approvals — you can approve an agent action by reacting with a thumbs up instead of typing /approve.
Settings & defaults that changed
If you maintain a config, these are the concrete changes worth checking after updating:
cron.max_concurrent_runsnow defaults to8(was effectively 1). Scheduled tasks — morning briefings, data pulls, background checks — now run in parallel instead of queuing. If you deliberately want serial execution, set this back down explicitly.- Image backend swapped: Sharp → Raster Mill. OpenClaw no longer installs the Sharp Node.js library at all — the most common cause of install failures on ARM and some Linux setups. Covers metadata reading, resizing, EXIF orientation, and PNG alpha. No action needed; installs just get cleaner. If you previously added a Sharp workaround, you can remove it.
- Auth rate limiter is now on by default (see security table). If you have a custom limiter config, confirm it isn't now redundant.
- Bundled Codex updated to 0.134.0. If you use OpenClaw with the Codex plugin for coding tasks, you're on the latest after updating.
As always, run openclaw backup (or your equivalent) before updating a working setup, and run openclaw doctor after to catch any config drift.
Related on OpenClawDatabase
- OpenClaw Hub — guides, setup, and platform overview
- OpenClaw Security Guide — prompt injection, SSRF, and agent hardening
- OpenClaw Configuration — gateway, cron, and channel settings
- Changelog — all tracked OpenClaw releases
More OpenClaw & Claude Code news
Claude Opus 4.8 + Gemini 3.5 Flash: Build SEO Tools Without Writing Code
How AI Agents Build Unstoppable Institutional Knowledge in Enterprises
7-Layer Agent OS Blueprint: Build Your AI Operating System Free
Claude Opus 4.8 Dynamic Workflows: How to Launch a 1,000-Agent Swarm
Run Claude Code and Cowork Free with LM Studio Local Models
Agent-Vault: Protect API Keys From AI Agents Reading Your Config Files
← Back to News digest · See also: OpenClaw security guide