OpenClaw 2026.6.6: The Security Hardening Release

Security isn't sexy until it's your agent that gets owned.

OpenClaw dropped 2026.6.6 yesterday — June 12, 2026 at 05:26 UTC — and this isn't a feature release. It's a boundary-hardening release. Thirteen pull requests, all security-focused, touching transcripts, sandbox binds, host environment inheritance, MCP stdio, Codex HTTP access, exec approvals, and more.

If you run OpenClaw agents on Linux in production, this is the one you don't skip.

Digital security shield over a Linux terminal, dark blue and indigo cyberpunk aesthetic, glowing code streams and lock symbols

What Actually Changed

The release notes are dense. Here's the breakdown by theme, with the PRs that matter most for Linux deployments.

1. Agent Boundary Hardening (PRs #91529, #91618, #91615, #91619)

The core issue: agents running with elevated privileges could inherit too much from the host environment. Transcripts could leak between sessions. Sandbox binds weren't strict enough.

What changed:

Transcript isolation is now enforced at the session layer. An agent can't accidentally read another agent's conversation history through environment inheritance.
Sandbox binds are stricter — fewer host paths exposed by default, and explicit opt-in required for /proc, /sys, and device nodes.
Host environment inheritance is filtered. Sensitive variables (SSH_AUTH_SOCK, HOME, XDG_RUNTIME_DIR) are scrubbed unless explicitly allowlisted.

Linux impact: If you run multiple agents on the same host — which you do — this closes a cross-contamination vector that was theoretical yesterday and is patched today.

2. MCP and Codex Security (PRs #91741, #91745, #91746, #91748)

MCP (Model Context Protocol) stdio transport and Codex HTTP access were both too permissive.

What changed:

MCP stdio transport now validates the sandbox bind before executing. No more arbitrary path injection through malformed MCP requests.
Codex HTTP access is restricted to explicitly allowlisted domains. The default changed from "allow all" to "deny all + curated list."
Native search policy is enforced for Codex sessions — agents can't bypass search restrictions through Codex tool calls.

Linux impact: If you use Codex as a coding agent backend or MCP for tool orchestration, these are direct attack surface reductions. The curated domain list is editable in ~/.openclaw/config/codex-domains.json.

3. Exec Approval Fail-Closed (PRs #91749, #91750, #89938)

Previously, exec approvals that timed out would... hang. Or succeed silently depending on the gateway version. Now they fail closed.

What changed:

Exec approval timeouts now return a hard denial. No ambiguous state.
Elevated sender checks are stricter — the sender identity is verified against the session binding before approval is granted.
Loopback tools (tools that call back into the agent system) are now explicitly scoped and can't escalate privileges.

Linux impact: This is the big one. If you have automated workflows that call exec with elevated: true, a timeout no longer risks an accidental rm -rf / because the approval system got confused. It says no.

4. Platform-Specific Hardening (PRs #91751, #91752, #91763)

Discord moderation and Teams group actions got tightened too, but those matter less for headless Linux deployments.

The Full PR List

For the completists:

PR	Area	Contributor
#91529	Transcript isolation	@joshavant
#91618	Sandbox binds	@pgondhi987
#91615	Host env inheritance	@mmaps
#91619	Session layer hardening	@eleqtrizit
#91741	MCP stdio validation	@shakkernerd
#91745	Codex HTTP allowlist	@drobison00
#91746	Native search policy	@shakkernerd
#91748	Codex domain restriction	@drobison00
#91749	Exec approval timeout	@joshavant
#91750	Elevated sender checks	@pgondhi987
#91751	Discord moderation	@eleqtrizit
#91752	Teams group actions	@mmaps
#89938	Loopback tool scoping	@shakkernerd

Why This Release Matters

OpenClaw has been shipping fast — 2026.6.1 through 2026.6.5 in under two weeks, with parallel search, SQLite auth, GitHub-backed skills, and infrastructure improvements. That velocity is great. But velocity without security review is how you ship CVEs.

2026.6.6 is the security audit that 2026.6.5 needed. It's not adding features. It's making the existing features safe to run unattended.

For Linux users specifically:

You're likely running OpenClaw as a systemd service or in a container
You probably have multiple agents with different privilege levels
You might be using elevated: true for package management or system configuration
You're the audience that cares about fail-closed behavior

This release says: we're taking that seriously now.

Upgrade Checklist

# Check your current version
openclaw --version

# If you're on 2026.6.5 or earlier, upgrade:
cd ~/.openclaw
npm install -g openclaw@latest

# Verify the upgrade
openclaw --version  # should show 2026.6.6 or later

# Review your exec approval timeout setting
# In ~/.openclaw/config/agent.yaml, ensure:
# exec:
#   approval_timeout_seconds: 30
#   fail_closed_on_timeout: true

# Check your Codex domain allowlist
cat ~/.openclaw/config/codex-domains.json
# Default is conservative. Add your internal domains explicitly.

# Restart your agent services
systemctl --user restart openclaw-agent
# or
pm2 restart openclaw

The Bigger Picture

This release is part of a pattern. OpenClaw 2026.6.x has been about production readiness — SQLite for state durability, parallel search for performance, and now security hardening for trust.

The next wave will likely be observability and monitoring. But you can't observe what you don't trust, and you don't deploy what you can't secure. 2026.6.6 is the trust layer.

If you're running OpenClaw on Linux in production, treat this as a required upgrade. Not because it adds features you'll use today, but because it removes vulnerabilities you'll regret tomorrow.

The Terminal — Where code meets craft. Technical intelligence for the Linux AI era.

Published June 13, 2026. OpenClaw 2026.6.6 was released June 12, 2026 at 05:26 UTC.