Intro

OpenClaw just dropped another major release. Version 2.26 is packed β€” both in breadth and depth.

Three themes define this release: External Secrets Management, ACP Agents as First-Class Runtimes, and a record-breaking security patch batch. One reporter alone (@tdjackey) submitted multiple vulnerability reports, and the dev team patched every single one. Let’s dig in.

1. πŸ” External Secrets Management β€” No More Plaintext API Keys

Confession: I’ve been pasting API keys straight into openclaw.json. If you have too, 2.26 is the nudge we both needed. A complete secrets workflow has been introduced. (Thanks @joshavant)

New commands:

openclaw secrets audit     # Detect plaintext secrets exposed in current config
openclaw secrets configure # Set up your secrets backend
openclaw secrets apply     # Pull values from an external store and apply them
openclaw secrets reload    # Re-activate runtime snapshots β€” no restart needed!

Key highlights:

  • Strict secrets apply target-path validation: Prevents secrets from landing in the wrong place.
  • Safe migration scrubbing: When migrating plaintext values to a secrets store, originals are properly cleaned up.
  • Ref-only auth-profile support: Auth profiles can now be stored as references, not literal values β€” your config file never has to contain an actual key.
  • Dedicated documentation added.

If you’ve been living on the edge with plaintext secrets, now’s the time to migrate. πŸ™ˆ

2. πŸ€– ACP/Thread-bound Agents β€” First-Class Runtime, Finally

This is the change I’m most personally excited about. ACP (Agent Communication Protocol) agents are now first-class runtimes for thread sessions. (Thanks @osolmaz)

What this means technically:

  • Native acp spawn/send dispatch integration: Spawning ACP agents into threads and messaging them is now a native capability.
  • acpx backend bridging: Smooth connection between the existing internal backend and ACP.
  • Lifecycle controls: Proper startup reconciliation and runtime cleanup β€” no more orphaned agents.
  • Coalesced thread replies: Duplicate or garbled replies within the same thread are resolved.

For anyone running a multi-agent setup, this makes inter-agent communication significantly more stable and predictable.

3. πŸ—ΊοΈ Agent Routing CLI β€” Explicit Channel-Account Binding Management

A brand-new CLI toolset for managing how messages route to agents. (Thanks @gumadeiras)

openclaw agents bindings  # List current bindings
openclaw agents bind      # Add an account-scoped route binding
openclaw agents unbind    # Remove a binding

This matters when you’re running multiple channels (Telegram, Discord, etc.) alongside multiple agent accounts and need explicit control over which agent handles which channel’s messages. The openclaw channels add flow also now optionally prompts for account binding on the spot.

4. ⚑ Codex WebSocket Transport β€” WebSocket Is Now Default

For OpenAI Codex users: the transport mode is now WebSocket-first (transport: "auto") with SSE fallback. Per-model and per-runtime transport overrides are still fully supported.

5. πŸ“± Android Nodes β€” Device Status & Notification Listing

Two Android node updates landed. (Thanks @obviyus x2)

  • device.status / device.info node commands: Query connected Android device status and info directly from agent tooling.
  • notifications.list support: Agents can now fetch the list of active notifications on an Android device via the nodes notifications_list tool.

Asking AI “what notifications do I have on my phone right now?” is getting closer to reality. 🀭

6. πŸ›‘οΈ Security Patches β€” The @tdjackey Report Sprint

The real headline of 2.26 is security. One researcher (@tdjackey) filed multiple vulnerability reports, and the team patched all of them. Everything ships in the npm 2026.2.26 release.

Node exec approval bypass: Enforces structured commandArgv approvals for host=node, strict systemRunBindingV1 versioned matching, and adds GIT_EXTERNAL_DIFF to blocked host env keys.

Plugin channel HTTP auth path bypass: Normalizes /api/channels path checks against canonicalized paths (case, percent-decoding, slash normalization) so encoding tricks can’t bypass gateway auth.

Gateway node pairing metadata spoofing: Pins platform/deviceFamily metadata across reconnects and binds those fields into device-auth signatures β€” reconnect spoofing can no longer expand node command allowlists.

Sandbox symlink escape via dangling symlinks: Broken symlink targets are resolved through existing ancestors; out-of-root targets fail closed, preventing apply_patch sandbox escapes.

Workspace FS boundary symlink aliases: Hardens canonical boundary resolution for non-existent-leaf symlinks, preventing first-write workspace escapes.

Config $include file hardening: Verified-open reads, hardlinked alias rejection, and file-size guardrails keep config includes bounded to trusted in-root files.

Exec approval plan freezing: system.run.prepare freezes immutable execution plans (argv/cwd/agentId/sessionKey), and mutable parent-symlink cwd paths are rejected during approval-plan building.

Microsoft Teams media fetch SSRF guard: Graph message/attachment fetches now route through shared SSRF-guarded fetch paths.

Twilio webhook replay hardening: Removes trust from unsigned i-twilio-idempotency-token, binding replay/dedupe identity to authenticated request material.

Pairing multi-account isolation: Account-scoped pairing allowlists and pending-request storage enforced across core and extension message channels.

That’s ten security fixes from a single reporter. @tdjackey did the community a real service here. πŸ‘

7. πŸ”§ Other Notable Fixes (QoL Roundup)

The Great Typing Indicator Cleanup 🧹

2.26 hunted down a whole family of “stuck typing indicator” bugs:

  • Agent runner finalization always marks dispatch idle now (Thanks @Sid-Qin)
  • TTL safety net: max-duration guardrails on shared typing callbacks (Thanks @Crpdim)
  • Cross-channel leakage unified for Feishu, Matrix, Mattermost, MS Teams
  • Telegram sendChatAction 401 loops now get exponential backoff + local suppression (Thanks @widingmarcus-cyber)

Telegram Improvements:

  • DM allowlist runtime inheritance enforced β€” silent DM drops after upgrades are fixed (Thanks @widingmarcus-cyber)
  • Inline buttons (callback queries) now work in groups with open policy (Thanks @GodsBoy)
  • Streaming preview no longer briefly shows 1-2 word fragments (Thanks @emanuelst)
  • webhookPort: 0 now supported for ephemeral listener binding

Browser/Chrome Extension Stability:

  • Handshake race condition fixed (no more stuck … badge)
  • Concurrent same-port startup deduplication
  • MV3 extension reconnect resilience (CDP clients survive brief disconnects)
  • CORS preflight and extension-origin header handling improved
  • Malformed percent-encoding paths now return 400 instead of crashing

Google Gemini Model ID Normalization: Bare gemini-3-pro, gemini-3.1-pro, and gemini-3-1-pro IDs now auto-normalize to the -low thinking tier, fixing 404 errors when the tier suffix is omitted. (Thanks @byungsker) I hit this personally β€” very welcome fix. πŸ˜…

Compaction Safety: Destructive double-compaction prevented; safeguard compaction cancelled when no real conversation messages exist. openclaw onboard --reset now defaults to config+creds+sessions scope (workspace deletion requires --reset-scope full).

Queue/Cron Reliability: Lane draining hardened, new enqueues rejected during gateway restart drain windows, isolated cron agent safety timeout raised to avoid false 10-minute races.

Wrap-Up

2.26 is a well-rounded release: new capabilities, stability wins, and a serious security hardening pass.

External secrets management is something I need to actually adopt now (no more excuses). The ACP first-class runtime upgrade is a foundational shift for multi-agent setups that will compound in importance over time. And those ten security patches? Update immediately if you haven’t already.

openclaw update

Don’t wait on this one. πŸš€