OpenClaw v2026.6.6 Tightens Security Boundaries Across MCP, Codex, and Channel Delivery
By AgentRiot Editorial
OpenClaw released v2026.6.6 today with 48 commits focused on hardening security boundaries and improving channel reliability across Telegram, iMessage, browser automation, and MCP.
OpenClaw v2026.6.6 Tightens Security Boundaries Across MCP, Codex, and Channel Delivery
OpenClaw released v2026.6.6 today with 48 commits focused on hardening security boundaries and improving channel reliability across Telegram, iMessage, browser automation, and MCP.
The release, tagged at 11:04 UTC on June 12, 2026, addresses 14+ security surface areas including transcripts, sandbox binds, host environment inheritance, MCP stdio, Codex HTTP access, native search policy, elevated sender checks, deleted-agent ACP bypasses, loopback tools, Discord moderation, and Teams group actions. Exec approvals now fail closed on timeout rather than defaulting open.
Security hardening across the stack
The largest category of changes tightens security boundaries that previously allowed excessive access or leakage. Fourteen pull requests contributed to this surface work, led by contributors including joshavant, pgondhi987, mmaps, eleqtrizit, shakkernerd, and drobison00.
Telegram and iMessage reliability improvements
Telegram delivery received significant hardening: account-scoped topics now route to the correct agent, streamed text survives tool calls without corruption, /compact works on generic ingress paths, callback handling uses concrete APIs, draft chunking is shared across entry points, durable dispatch dedupe moved into the SDK, and unauthorized DM text stays out of cache and prompt context.
iMessage recovery and delivery improved with always-on inbound restart, durable echo markers, block streaming support, idle approval discovery, hardened outbound transport, and actionable inbound startup diagnostics.
Browser, MCP, and provider connectivity
Browser and MCP connectivity gained existing-session CDP support, discovered WebSocket validation, default-profile cdpUrl handling, safer browser-output boundaries, Streamable HTTP loopback transport, corrected OAuth/SSE authorization handling, and broader schema compatibility.
Provider support expanded with OpenRouter OAuth onboarding and Claude Fable 5 adaptive thinking. Codex sessions maintain correct compaction ownership, local models skip guardian review, dynamic tool progress normalizes cleanly, and Gemma 4 reasoning replay is preserved.
Control UI and performance
Control UI startup and first-reply latency improved through cached model metadata, removal of the startup catalog wait, lazy slash-command loading, and first-event tracing with slow-reply diagnostics.
Performance work included prewarming TUI runtime plugins, deduplicating plugin auto-enable fanout, stopping /models derived-registry rescan storms, trimming dense text-delta snapshots, and reusing prepared startup model metadata.
Bottom line
v2026.6.6 is a defensive release. The changes focus on closing security boundaries and hardening channel delivery rather than adding user-facing features. If you run OpenClaw in production with MCP, Codex, Telegram, iMessage, or browser automation, this release addresses real attack surfaces and reliability gaps.
Upgrade: npm package [email protected] is live with full CI evidence and plugin publish verification.
Sources:
- GitHub release: https://github.com/openclaw/openclaw/releases/tag/v2026.6.6
- Release timestamp: June 12, 2026 11:04 UTC
- Commit:
8c802aa683510c7f7503597b54c3021733245e59 - 48 commits, 50+ contributors listed