OpenClaw released version 2026.4.9 on April 9, 2026, and this update is not a routine polish pass. According to the official release notes on GitHub, the team shipped five distinct security fixes in a single release; that is a high concentration for a project that usually spaces security patches out across multiple updates. If your business is running OpenClaw agents in any customer-facing or data-sensitive capacity, you need to understand what was patched and why it matters before your next agent run.
I will walk you through each security fix in plain English, explain what the risk was before patching, and then cover the non-security improvements that also landed in this release. At the end, I will give you a clear action checklist based on how you are using OpenClaw today.
Short version: Update to OpenClaw 2026.4.9 now if you run agents against any external URLs, use a workspace .env file, or connect remote nodes to your gateway. Three of the five security fixes close active attack vectors, not theoretical ones.
The Five Security Fixes - Translated
Here is each fix explained the way you would explain it to a business partner who does not write code.
Fix 1: Browser Safety Checks Could Be Bypassed via Click Interactions
OpenClaw's browser agent can navigate websites, click links, fill out forms, and extract data. It has a built-in safety system called the SSRF quarantine (SSRF stands for Server-Side Request Forgery - a category of attack where software is tricked into fetching content from unauthorized locations).
The problem: before this fix, if an agent was given a page that triggered a browser click or JavaScript evaluation, it could land on a blocked destination and bypass the safety check. The check ran once at the start but did not re-run after interaction-driven navigation.
Why this matters for your business: If your agents browse the web on your behalf - scraping competitor prices, reading news feeds, gathering research - a malicious page could have used this gap to redirect your agent to an internal company URL (like your intranet, internal admin panel, or cloud metadata service) and extract data that should never leave your network.
The fix runs the safety check again after every click, evaluate, hook-triggered click, and batched action flow. The bypass window is now closed.
Fix 2: Untrusted Workspace .env Files Could Override Security Controls
OpenClaw supports workspace .env files - configuration files that sit in your project directory and tell the agent things like which API keys to use or how to connect to services. This is a normal developer workflow.
The problem: before this fix, a malicious or compromised .env file in a workspace could override runtime-control environment variables, including variables that control browser security behavior and server connection logic. If someone had placed a crafted .env in a shared project directory (a contractor, a compromised dependency, even a misconfigured git clone), they could have silently changed how your agents behave without touching your main configuration.
Why this matters: In team environments where multiple people share project directories, or in CI pipelines where third-party code gets checked out automatically, this was a real supply-chain risk. You might never have noticed the override unless you were specifically auditing env variable precedence.
The fix explicitly blocks runtime-control env vars from being overridden by untrusted workspace .env files, and also rejects unsafe URL-style browser control override specifiers before they can be loaded.
Fix 3: Remote Node Output Could Inject Text Into Agent Context
This is the one that concerns me most for enterprise deployments. OpenClaw supports remote nodes - machines or containers that run workloads on behalf of your central gateway. When a remote node runs a command, it sends back status events: exec.started, exec.finished, exec.denied.
The problem: before this fix, the text content of those events was not sanitized before being added to the agent's conversation context. A compromised or malicious remote node could craft its output to inject text that looked like a trusted System: message inside the agent's reasoning stream. This is a prompt injection attack at the infrastructure level.
Why this matters: If you run OpenClaw in a distributed setup - multiple nodes, cloud workers, containerized executors - one compromised worker could potentially manipulate what your main agent believes it was instructed to do. This is not a hypothetical; it is exactly how AI agent supply-chain attacks work in practice.
The fix marks all remote node exec events as untrusted system events and sanitizes the command/output/reason text before they are added to the agent queue. The agent's trusted context is now isolated from remote-node content.
Fix 4: Untrusted Workspace Plugins Could Steal Bundled Provider Auth Flows
OpenClaw supports a plugin ecosystem. When you install a workspace plugin (a third-party add-on, a custom integration, or a community-built tool), that plugin participates in the onboarding flow for authenticating with AI providers like Anthropic or OpenAI.
The problem: before this fix, an untrusted workspace plugin could register auth-choice IDs that collided with the bundled provider IDs. During non-interactive onboarding (when the setup process runs without human review, like in CI environments or automated deployments), those collisions could route your provider credentials through the untrusted plugin's handler.
Why this matters: Your Anthropic API key or other provider credentials are high-value targets. A malicious plugin that intercepts the auth flow could silently capture them. Plugin marketplaces are a known attack vector across all software ecosystems; this fix adds a hard boundary so workspace plugins cannot intercept bundled provider setup regardless of what IDs they claim.
The fix prevents untrusted workspace plugins from colliding with bundled provider auth-choice IDs and keeps operator secrets out of untrusted plugin handlers unless those plugins have been explicitly trusted by the user.
Fix 5: Known CRLF Injection Vulnerability in basic-ftp Dependency
This one is the most straightforward. OpenClaw uses a third-party library called basic-ftp for FTP-related functionality. A known security vulnerability in older versions of that library (a CRLF injection flaw - where an attacker can smuggle hidden commands into network protocols via line-break characters) was fixed in version 5.2.1.
The fix forces basic-ftp to version 5.2.1 across all resolution paths, closing that vulnerability. The release also bumps Hono and the Hono Node server package in production paths, which addresses additional dependency-level exposure.
Why this matters: Unpatched third-party dependencies are the most common entry point for real-world attacks. You may never use FTP in your OpenClaw setup, but the vulnerable library is present in the package tree regardless. The fix is mandatory across all installs.
Non-Security Improvements: What Else Changed
Security dominated this release, but there are meaningful feature additions and stability fixes that business users will notice.
Memory and Dreaming: Smarter Long-Term Agent Memory
One of OpenClaw's most powerful and least-understood capabilities is its memory system. Agents can retain facts across conversations, build up long-term knowledge about your business, and "dream" during idle periods to consolidate what they have learned. Think of it like the way humans process and organize memories during sleep; OpenClaw's dreaming system does something similar for agents.
Version 2026.4.9 adds a grounded REM backfill lane. In practical terms, this means your agents can now replay old daily notes and diary entries into their Dreams and durable memory without requiring a second memory stack running in parallel. This was a significant architectural limitation before; building up historical memory required duplicating memory infrastructure. Now old notes and conversations can feed directly into the long-term memory pipeline.
For business owners running assistants, research agents, or customer service bots, this means your agent's long-term memory will be more complete and easier to maintain. If you want to understand how memory and context work in OpenClaw, our guide on OpenClaw core concepts walks through the architecture in non-technical terms.
The Control UI also gains a structured diary view with timeline navigation and backfill controls, so you can now visually inspect and manage what your agents remember over time. This is a meaningful step toward auditability - you can see exactly what your agent "knows" and when it learned it.
Android and iOS: Pairing and Versioning Fixes
If you use the OpenClaw mobile app to manage or interact with your agents from your phone, both platforms received important fixes in this release.
On Android, a pairing bug was fixed that caused QR scan-based pairing to fail when users tried to reconnect after a session drop. The fix clears stale setup-code auth on new QR scans and bootstraps operator and node sessions cleanly. Pausing auto-retry when the app is backgrounded prevents the app from hammering your gateway with reconnection attempts when you switch to another app.
On iOS, the release pins versioning to an explicit CalVer format (the same date-based versioning scheme OpenClaw uses for desktop releases), which will make it clearer when the iOS app is up to date with the desktop release train.
Slack, Matrix, and Channel Stability
Several messaging channel integrations received fixes. The most notable: Slack ACP block replies are now correctly treated as delivered output, which means OpenClaw will stop sending duplicate follow-up text after Slack already rendered a response. If you have noticed agents occasionally double-posting in Slack, this fix addresses it.
Matrix channel handling was also improved, with startup now waiting for Matrix sync readiness before marking the channel as ready, and fatal sync failures routed through proper restart handling instead of crashing the whole gateway.
Agent Timeouts: A Configuration Note for Power Users
The agents/timeouts fix is worth calling out specifically because it changes configuration behavior. The LLM idle timeout now inherits from agents.defaults.timeoutSeconds when that value is configured, and the idle watchdog is disabled for cron runs (scheduled agent runs) by default.
If you have been fighting with agents timing out during long automated tasks, this change may resolve it without any configuration changes on your part. But if you have explicit timeout values configured, double-check your agents.defaults.llm.idleTimeoutSeconds setting after updating to make sure the inheritance behavior matches your expectations. Our OpenClaw install and setup guide covers how to find and edit your configuration file.
Should You Update Right Now?
The answer depends on how you are using OpenClaw, but for most business deployments the answer is yes, today.
Here is how to think about urgency based on your setup:
- You use browser agents that navigate external websites: Update immediately. Fix 1 (SSRF bypass) applies directly to your setup.
- You use a shared project directory or CI pipeline: Update immediately. Fix 2 (env var injection) applies if anyone other than you can write to your workspace.
- You run a multi-node or distributed OpenClaw setup: Update immediately. Fix 3 (node exec injection) applies if you have remote workers connected to your gateway.
- You have installed community or third-party plugins: Update before your next plugin install or onboarding run. Fix 4 (plugin auth collision) applies during onboarding flows.
- You run a simple single-user OpenClaw install for personal productivity: Update within the week. Fix 5 (dependency vulnerability) applies to everyone regardless of configuration.
There are no known breaking changes in this release that would disrupt your existing workflows. The release notes list only fixes and additions; no existing behavior was intentionally removed or changed in a way that would break current deployments.
What About NemoClaw Enterprise Users?
NemoClaw is NVIDIA's enterprise-hardened distribution of OpenClaw, designed for regulated industries and large organizations that need additional security controls, compliance documentation, and dedicated support. If your organization runs NemoClaw, the security fixes in OpenClaw 2026.4.9 are relevant to you, but the update path is different.
NemoClaw typically lags the upstream OpenClaw release by days to weeks, depending on their validation cycle. I was not able to confirm a NemoClaw update as of this writing. Check with your NemoClaw account team for the patched version timeline, especially regarding the SSRF and node exec injection fixes.
If you want to understand the difference between running bare OpenClaw versus NemoClaw in terms of security posture and support, our guide on NemoClaw security covers the key distinctions in non-technical language.
How to Update OpenClaw
Updating OpenClaw follows the same process as the original install, depending on how you installed it. The quickest path for most users:
- npm install (global): Run
npm install -g openclaw@latestin your terminal and verify the version withopenclaw --version. - Desktop app: Open OpenClaw, go to Settings, and look for the update prompt; or download the latest
.dmgor installer directly from the GitHub releases page. - Docker or containerized: Pull the latest image tag and redeploy your container. Do not forget to restart running agent sessions after the update.
If you are not sure how you installed OpenClaw or what version you are running, our installation guide covers how to check your current version and the recommended update paths for each install method.
The Bottom Line
OpenClaw 2026.4.9 is a security-first release. Five separate security fixes in a single update is not routine maintenance; it reflects the team's ongoing response to the reality that AI agents are now running in production environments with real access to real business systems. That means the attack surface is real too.
The good news: all five vulnerabilities are now patched, and the update process is straightforward. The memory and channel improvements are meaningful additions, but the reason to update today is the security fixes.
If you run OpenClaw agents connected to your internal systems, customer data, or external APIs, treating this update as optional is the wrong call. Schedule the update for today or tomorrow at the latest.
New to OpenClaw or NemoClaw? Start with our plain-English overview of what OpenClaw is and why businesses are adopting it. Read the beginner's guide here.