openclaw v2026.6.6 release notes: what's new & changelog

OpenClaw v2026.6.6 delivers tighter security boundaries across host environments, expanded provider capabilities including Claude Fable 5 and OpenRouter OAuth, and substantial performance optimizations for the Control UI and plugin metadata discovery.

Key Changes

Security Hardening

Security boundaries have been substantially tightened across multiple surfaces to prevent unauthorized access and execution:

• Host Environment Protection: The host exec sanitizer now blocks request-scoped Rustup environment overrides (e.g., RUSTUP_HOME, RUSTUP_TOOLCHAIN) and expands the unsafe host environment denylist to reject interpreter startup and search-path variables like BASHOPTS and FPATH (#91615, #91618).
• Git Protocol Control: Request-scoped Git protocol-control environment variables are now blocked, and inherited GIT_ALLOW_PROTOCOL is filtered to safe defaults to prevent transport policy loosening (#91619).
• Sandbox & Tooling Safety: Docker sandbox bind sources are now validated in both directions to reject parent sources that cover blocked descendants (#91741). Additionally, the Codex sandbox exec-server HTTP bridge now rejects private or internal HTTP targets before dispatch (#91752).
• Execution Approvals: Exec approval requests now fail closed by default on timeout, meaning unanswered requests are denied rather than approved (#89938).
• MCP Hardening: Stdio MCP server environment filtering has been hardened to drop inherited child-process config pivots (e.g., Ansible and Terraform config keys) while preserving explicit credential keys like GITHUB_TOKEN (#91751).

Provider & Model Updates

• Anthropic Claude Fable 5: Added support for Claude Fable 5 across direct API, Vertex, and Amazon Bedrock, including adaptive-thinking defaults and refusal handling (#91882).
• OpenRouter OAuth: OpenRouter is now a first-class choice in the CLI model/auth provider picker, supporting PKCE OAuth login (#91830).
• Gemma 4 Reasoning: Fixed a regression where Gemma 4 models via openai-completions were losing reasoning_content during multi-turn tool replay (#91696).
• Ollama Thinking Defaults: The SDK session factory now respects the provider-declared thinking default (e.g., "off" for Ollama), preventing models from spending their output budget on thinking when not configured (#91657).

Performance & UI Improvements

• Control UI Latency: Startup and first-reply latency are reduced through cached model metadata, the removal of the startup catalog wait, and lazy slash-command loading (#91531, #91538, #91598). First-assistant-event tracing and slow-reply diagnostics have also been added (#91568, #91583).
• Plugin Metadata Discovery: Fixed a regression where the /models call triggered a "rescan storm" by failing to hit the metadata snapshot memo for derived registries, reducing catalog build times from ~6.5s to ~0.26s (#92127).
• TUI Enhancements: The TUI footer now displays the connection hostname for URL-backed Gateway connections (#89909), and runtime plugins are prewarmed before the first send to eliminate cold-activation spikes (#90782).
• iOS/iPadOS: The iPad control surface now features a real sidebar/navigation model aligned with macOS, and iPhone surfaces have been improved with responsive hub behavior and connected Workboard/Skill Workshop data (#91557).

Channel & Delivery Fixes

• Telegram: Fixed a bug where answer text emitted between tool calls disappeared during streaming (#88682). Account-scoped topic agents now route correctly on non-default accounts (#91189), and unauthorized DM text is blocked from prompt context (#91478).
• iMessage: Introduced always-on inbound recovery and deduplication to prevent "backlog bombs" after restarts (#91335). Outbound transport is now hardened with configurable sendTransport options (#91783), and block streaming config is now properly honored (#91449).
• Discord: Added hydration for reply context metadata via REST when referenced_message is omitted by Discord (#90263).
• WhatsApp: Fixed a critical issue where captured replies were lost after a ConnectionController restart by routing them through the successor controller (#85823).

Impact

For Operators

• Security: The move to a "fail-closed" default for exec approval timeouts means unattended workflows that previously relied on silent auto-approval will now stop. Operators must explicitly configure askFallback if auto-approval is required (#89938).
• Configuration: Users with memorySearch.provider: "local" must now install the @openclaw/llama-cpp-provider plugin, as the llama.cpp runtime has been moved from the core package to a dedicated provider plugin (#91324).
• Maintenance: openclaw doctor now reports official managed plugin version drift, providing actionable repair commands to keep plugins in sync with the Gateway version (#90927).

For Developers

• Plugin SDK: Installed plugins can now register api.registerAgentToolResultMiddleware and named trusted pre-tool policies if declared in their manifest (contracts.agentToolResultMiddleware and contracts.trustedToolPolicies) (#90004).
• MCP Transport: The loopback HTTP server now supports Streamable HTTP MCP transport, resolving hangs for clients like Claude Code that require an SSE notification channel (#89851).

FAQ

What's new in v2026.6.6? This release delivers tighter security boundaries for host environments and sandboxes, adds support for Claude Fable 5 and OpenRouter OAuth, and significantly reduces Control UI and plugin discovery latency.

Are there any breaking changes? Yes. Exec approval timeouts now fail closed (deny) by default (#89938), and the local llama.cpp runtime has been moved to a separate provider plugin, requiring a new installation for users of local memory embeddings (#91324).

How do I upgrade? Users should update the package and then run openclaw doctor --fix to handle the migration of the local llama.cpp provider and any other necessary state repairs.