OpenClaw v2026.5.18 Release Summary

Key Changes

Gateway & Performance Optimizations

OpenClaw v2026.5.18 focuses heavily on reducing latency and improving the observability of the Gateway. A major architectural shift now allows independent startup work—such as plugin services and startup logging—to overlap, reducing the time it takes for the Gateway to reach a ready state. To support this, the team has introduced new benchmark tooling (pnpm test:restart:gateway) to provide machine-readable evidence of restart readiness and resource slopes.

Additionally, the openclaw models command has been optimized to reuse plugin metadata snapshots. In environments with large plugin installations (100+ plugins), this reduces wall time by approximately 70% and cuts filesystem openat syscalls by nearly 80%.

Android & Realtime Voice

Android users will see a significant upgrade to Talk Mode. The legacy SpeechRecognizer $\rightarrow$ chat.send $\rightarrow$ TTS pipeline has been replaced with a realtime Gateway relay voice session. This enables low-latency streaming audio, realtime tool-call bridging, and on-screen transcripts for both the provider and the assistant.

Codex & Agent Runtime Hardening

Several critical fixes have been implemented for the Codex app-server and agent runtimes:

• Context Budgeting: Large native Codex rollouts are now rotated before resume if they exceed 70k tokens, preventing slow WebChat turns and oversized context inheritance.
• Tool Policy Enforcement: The Codex app-server now strictly honors deny: ["*"] policies, disabling native code mode, built-in environments, and user MCP projection for restricted runs.
• Session Isolation: Bound Codex app-server conversations now preserve the owning agent directory, ensuring follow-up turns and controls are routed through the correct agent runtime rather than falling back to the default client.
• Subagent Reliability: The system now preserves successful keep-mode subagent completions in a suspended delivery state if retries are exhausted, preventing the loss of final payloads during terminal cleanup.

Integration Updates

• Telegram: Fixed a critical issue where config hot-reloads could wedge isolated polling ingress workers. The system now correctly handles worker exits during graceful stops and recovers stalled isolated-ingress spool handlers into terminal tombstones to prevent blocking future updates.
• xAI: The xAI OAuth login flow has been hardened to handle CORS preflight requests and refresh-token requirements. Additionally, video generation now correctly routes through the v2s video API, resolving "malformed response" errors.
• WhatsApp: The forceDocument flag is now honored end-to-end, allowing agents to send uncompressed images and GIFs as documents.
• Google/Gemini: Added validation for thought_signature Base64 strings to prevent HTTP 400 errors caused by compaction-truncated signatures.

CLI & UX Improvements

• TUI: Added a standalone exit guard to ensure that /exit commands in the TUI do not leave orphaned child processes alive.
• PowerShell: Onboarding now resolves concrete profile paths and provides actionable reload commands instead of generic $PROFILE hints.
• Diagnostics: Lane wait warnings now include activeAhead, activeNow, and queueBehind metrics to better identify active-run blockers.

Impact

Stability & Reliability

Users will experience fewer "stuck" sessions and more reliable subagent completions. The hardening of the Codex runtime and the fix for Telegram's ingress worker ensure that the system remains responsive even during complex task execution or configuration changes.

User Experience

Android users gain a near-instantaneous voice interaction experience. CLI users with large plugin sets will see a dramatic speedup in model discovery and status checks. Telegram users will see improved reliability in media group handling and topic-based completions.

Security

Security is tightened through the redaction of private chat payloads in verbose Telegram raw-update logs and the implementation of a stricter trusted-proxy password fallback policy that only allows same-host direct requests.

Upgrade Guide

Breaking Changes & Migration

While this release is largely backward compatible, operators should note the following:

• Trusted-Proxy Auth: If you rely on the strict fail-closed policy from previous versions for same-host password authentication, be aware that this release restores the local-direct password fallback for loopback requests without forwarded headers. To maintain strict proxy-only auth, avoid configuring gateway.auth.password for trusted-proxy deployments.
• Node.js Requirement: The minimum supported Node.js 22 line has been raised to 22.19 to support updated Pi packages (0.75.1).
• Codex OAuth: Legacy Codex OAuth profiles using oauthRef sidecars remain usable, but they will be migrated to inline credentials upon the next successful refresh or via openclaw doctor --fix.