v2026.3.2 — Defense-in-Depth Security + Plugin SDK Refactor
Released: March 3, 2026 Theme: Security hardening + architectural uplift Breaking Changes: 4
Overview
v2026.3.2 is a release driven by security hardening. It ships 4 Breaking Changes, over 130 fixes, full SecretRef coverage (64 endpoints), sandbox escape defenses, and prompt-spoofing neutralization. It also introduces native PDF tools and Telegram streaming by default. Several vulnerabilities were reported by security researcher @tdjackey — evidence of systematic audit work.
Core Highlights
1. SecretRef Coverage Everywhere (64 Endpoints)
SecretRef now extends to all user-provided credential endpoints, covering runtime collectors, the openclaw secrets plan/apply/audit flows, and SecretInput UX during onboarding. Unresolved refs fail fast on active surfaces and surface non-blocking diagnostics elsewhere.
2. Security Hardening Suite
This release fixes several critical security issues — upgrade immediately.
| Area | Fix |
|---|---|
| Prompt spoofing | Stopped injecting queue events as user-role prompts; neutralized [System Message] spoofing markers |
| Sandbox bootstrap | Rejects symlink/hardlink aliases resolving outside the workspace |
| ACP sandbox inheritance | Enforces fail-closed guard on sessions_spawn + runtime="acp" |
| fs-safe writes | Switches to same-directory temp + atomic rename + inode/hardlink revalidation |
| Skills archives | Unified tar.gz/tar.bz2 safety checks; enforces size cap |
| Gateway routing | Plugin route path variants decode to a canonical fixed point; fail closed on anomalies |
3. Native PDF Tools
Promoted to first-class: native Anthropic and Google PDF provider support, with a fallback extraction path for non-native models. Configurable via agents.defaults.pdfModel, pdfMaxBytesMb, pdfMaxPages. Diff tools now support PDF output.
4. Telegram Streaming On by Default
channels.telegram.streaming switches from off to partial. DMs use sendMessageDraft for private-preview streaming; reasoning and answer previews are separated in DM streaming mode.
5. Plugin Ecosystem Architecture Uplift
channelRuntimeexposed onChannelGatewayContext- New transcription API:
api.runtime.stt.transcribeAudioFile(...) - New
runtime.system.requestHeartbeatNow(...),runtime.events.onAgentEvent - Hook system gains
message:transcribed,message:preprocessed
Breaking Changes
| Change | Impact |
|---|---|
tools.profile defaults to messaging | New installs no longer ship coding/system tools by default |
| ACP dispatch enabled by default | To pause, explicitly set acp.dispatch.enabled=false |
Plugin SDK removes api.registerHttpHandler(...) | Use api.registerHttpRoute(...) instead |
| Zalo Personal rebuilt | Run openclaw channels login --channel zalouser |
Technical Direction
Defense-in-Depth
At least 10 security fixes span sandbox, prompt, SSRF, webhook, file system, and configuration backup — a thorough systematic audit.
Plugin SDK Maturation
Removing legacy HTTP handler APIs, adding structured route registration, and exposing STT / event subscription / heartbeat runtime APIs — the plugin architecture is evolving from “basic extension” into a “complete platform”.
Notable Fixes
- Webchat NO_REPLY token leak: internal control tokens (like
NO) were partially visible during streaming - Sessions lock PID reuse: Linux PID recycling caused false lock timeouts; added
starttimecomparison - Slack Bolt 4.6+ crash: removed invalid event registrations, startup error fixed
- Exec approvals path matching: paths with regex metacharacters like
/usr/bin/g++now match correctly