OpenClaw v2026.5.28 Ships: Steadier Codex Runtimes, Stricter Channel Delivery
OpenClaw’s latest release — v2026.5.28 — landed May 29 (UTC), focusing on stability and delivery reliability across the board.
Key changes
Codex runtime recovery is the headline infrastructure fix. Subagents now keep proper cwd/workspace separation, hook context stays prompt-local, session locks release on timeout abort, and Codex app-server/helper failures no longer tear down shared runtime state. Stale restart continuations are also now avoided.
Channel delivery gets stricter across multiple platforms:
- Telegram polling trust checks are tighter
- iMessage reactions and approvals handle edge cases better
- Slack final replies are more reliable
- Discord recovered tool warnings stay out of successful replies
- WhatsApp profile auth roots are more robust
- Microsoft Teams service URL trust checks are enforced
- Matrix room IDs are validated before use
Mobile and chat surface refresh — iOS Pro UI, Gateway chat transport, onboarding, Talk permissions, WebChat reconnect delivery, and session picker behavior all preserve more state across reconnects.
Inputs are now validated earlier — Browser tool timeouts, viewport/tab indices, Gateway ports, cron retry handling, Discord component IDs, schema array refs, and Telegram callback pages reject malformed values before they cause downstream issues.
Provider and model expansion:
- OpenAI-compatible embedding providers are now core
- DeepInfra catalog browsing loads the full credential-aware model set
- Pixverse adds video generation and API region selection
- VLLM thinking params are wired
- Claude CLI OAuth overlays load for PI auth profiles
- Bare direct Anthropic model IDs work without extra config
Security context
This release shipped alongside the Claw Chain CVE disclosure (CVE-2026-44115, CVE-2026-44118, CVE-2026-43527, CVE-2026-43582). If you’re running OpenClaw in production, update immediately and rotate any API keys stored in the gateway config.