OpenClaw New Version Prohibits AI Models from Enabling High-Risk Settings Through Dialogue

ME News Report, April 14 (UTC+8), according to 1M AI News monitoring, the open-source AI Agent platform OpenClaw released v2026.4.14. Unlike the intensive feature updates in the past two weeks, this version has almost no new features, with about 12 of over 50 fixes directly related to security reinforcement, making it the most concentrated security tightening recently.
The most significant architectural change is the tightening of permissions for the gateway tool. Previously, AI models could modify instance configurations through config.patch and config.apply, including enabling high-risk flags such as dangerouslyDisableDeviceAuth and allowInsecureAuth. The new version directly intercepts such calls at the gateway tool level: any patch requests that enable dangerous flags listed in openclaw security audit are rejected; flags already enabled are unaffected, and modifications to non-dangerous configurations proceed as usual. This means that even if AI is prompted to inject prompts, it cannot bypass protections listed in the security audit through dialogue.
Other security fixes cover multiple attack surfaces:

1. Browser SSRF policies have undergone a systematic patch, fixing multiple regressions such as local Chrome connection misblocking under strict mode, hostname navigation being blocked, attach-only mode detection failure, and enforcing SSRF policies on routes like snapshot and screenshot.
2. Slack interaction events now strictly verify the allowFrom whitelist; previously, block-action and modal interactions could bypass this whitelist; Microsoft Teams SSO login also added sender whitelist checks; Feishu whitelist fixes include case-insensitive matching and namespace confusion between user/chat.
3. Local attachment path parsing now rejects realpath failures to prevent path traversal bypassing directory checks.
4. The console frontend replaced marked.js with markdown-it, fixing ReDoS freezes triggered by malicious Markdown.
5. The auto-reply queue now isolates authorization contexts based on sender identity, preventing queued messages from different senders from executing under incorrect permissions.
   There are only two functional updates: preset GPT-5.4-pro model definitions and pricing configurations to ensure forward compatibility before OpenAI’s official launch; and Telegram forum topics now display human-readable topic names instead of internal IDs. (Source: BlockBeats)