The new version of OpenClaw prohibits AI models from enabling high-risk configurations through dialogue.

According to ME News, on April 14th (UTC+8), 1M AI News monitored the release of OpenClaw v2026.4.14, an open-source AI agent platform. Unlike the numerous feature updates of the past two weeks, this version contains almost no new features. Of the more than 50 fixes, about 12 directly address security hardening, representing the most concentrated security tightening in recent times. The most significant architectural change is the tightening of permissions on the gateway tool. Previously, AI models could modify instance configurations via `config.patch` and `config.apply` calls, including enabling high-risk flags such as `dangerouslyDisableDeviceAuth` and `allowInsecureAuth`. The new version directly intercepts these calls at the gateway tool level: any patch request that would newly enable dangerous flags listed in the OpenClaw security audit is rejected; already enabled flags remain unaffected, and modifications to non-dangerous configuration items proceed as normal. This means that even if the AI is induced by prompt injection, it cannot bypass the protections on the security audit checklist through dialogue. Other security fixes cover multiple attack surfaces: 1. Browser SSRF policies have undergone a systematic patch, fixing several regression issues such as unintended blocking of local Chrome connections in strict mode, blocked hostname navigation, and failed attachment-only mode detection. SSRF policies are now enforced on routes such as snapshots and screenshots. 2. Slack interaction events now enforce validation of the allowFrom whitelist; previously, block-action and modal interactions could bypass this whitelist. Microsoft Teams' SSO login also now includes sender whitelist checks. Lark's whitelist fixes case-insensitive matching and user/chat namespace obfuscation. 3. Local attachment path parsing is now changed to reject if realpath fails, preventing path traversal from bypassing allowed directory checks. 4. The console frontend has replaced marked.js with markdown-it, fixing ReDoS freezes triggered by malicious Markdown. 5. The automatic reply queue isolates authorization contexts by sender identity, preventing queued messages from different senders from executing under incorrect permissions. Functionally, only two features are included: a pre-configured gpt-5.4-pro. Model definitions and pricing configurations are backward compatible before OpenAI's official launch; Telegram forum topics now display human-readable topic names instead of internal IDs. (Source: ME)