OpenClaw v2026.4.10 dropped Friday, one day after a beta release. It's a substantial stable release across several fronts: a new Active Memory plugin that handles context retrieval automatically, a bundled Codex provider, an exec-policy CLI with rollback safety, and a long list of security hardening across browser, tools, and gateway layers. The security fixes alone span multiple pull requests and include at least one auth bypass on the session-reset endpoint.
Active Memory: Context Without the User Having to Ask
The headline feature is the Active Memory plugin. OpenClaw frames the problem directly: most memory systems are reactive. The user has to say "remember this" or the agent has to decide when to search memory — by which point the moment where that context would have made the reply feel natural has already passed.
Active Memory runs a dedicated memory sub-agent before the main reply on eligible sessions. It uses a two-tier system: the model decides what to retain (short-term notes in memory/YYYY-MM-DD.md) versus discard, then explicitly retrieves relevant context at each turn. The retrieval hits and citation metadata surface inline, so you can see which memory entries informed the response. The docs describe it as a "blocking memory sub-agent" — it runs before the reply, not after.
Configuration targets specific agents and session types. Default setup opts in only the main agent and only direct-message sessions. You can set allowedChatTypes to include group or channel sessions if wanted. The plugin supports three query modes (message, recent, full context), a promptStyle override for tuning, and a 15-second timeout per pass. Transcript persistence is opt-in and off by default. There's also a session-scoped toggle: /active-memory off pauses it for the current chat without touching global config.
The distinction from Dreaming is explicit: Dreaming consolidates durable memory during scheduled sweeps. Active Memory handles per-turn retrieval during live sessions. They are complementary systems addressing different phases of the memory lifecycle.
Contributors: @Takhoffman (plugin), @ImLukeF (MLX speech provider).
Bundled Codex Provider
The release adds a bundled Codex provider so codex/gpt- model requests use Codex-managed auth, native threads, model discovery, and compaction — while openai/gpt- stays on the normal OpenAI provider path. This separates two things that were previously entangled: the Codex runtime's toolcalling and auth handshake, and the OpenAI provider's request path.
The practical effect is that if you're running Codex CLI tasks through OpenClaw, the gateway now handles the Codex side natively rather than wrapping it through the OpenAI provider. This matters for file access: Codex agent can now read and write files in the project directory during tasks, not just execute commands.
Contributors: @100yenadmin (OpenAI/Codex tool schema compatibility).
exec-policy CLI: Managing Exec Permissions With Rollback Safety
The exec-policy CLI (openclaw exec-policy) ships with show, preset, and set subcommands. It synchronizes requested tools.exec.* config with the local exec approvals file, and includes rollback safety and sync conflict detection. The PR log shows a long tail of hardening commits: rollback path validation, approvals path checks, base-hash guards on config writes, and stripping stale decisions.
This is infrastructure for operators who run OpenClaw in environments where exec permissions need to be managed carefully — the kind of plumbing that matters when you're running agents at scale or in multi-tenant contexts.
Contributor: @Takhoffman.
Security: Session-Reset Auth Bypass, Browser Hardening, and More
The release notes list security fixes across three broad areas:
Browser and sandbox navigation: SSRF defaults tightened, hostname allowlists added, interaction-driven redirects hardened, subframe handling tightened, CDP discovery scoped, noVNC enforcement added, and Docker CDP source-range controls added. Multiple PRs across these areas.
Tools and exec hardening: exec preflight reads, host env denylisting, node output boundaries, outbound host-media reads, profile-mutation authorization, plugin install dependency scanning, ACPX tool hooks, Gmail watcher token redaction, and oversized realtime WebSocket frame handling.
Session-reset endpoint: The /api/sessions/reset endpoint previously required no authentication — any request would reset the session and delete all data. This is now patched.
Provider failover: Retry logic on 503 responses, with a circuit breaker per provider. The circuit breaker isolates failures to individual providers so a degraded upstream doesn't cascade. Error categories handled: network errors, rate limits (429), server errors (500/502/503), auth failures, and context window exceeded (400/413). This is new infrastructure that didn't exist in prior releases.
QA Infrastructure: Matrix, Telegram, and Multipass Linux VM Runner
On the testing side: a live Matrix QA lane backed by a disposable homeserver, a Telegram QA lane for private-group bot-to-bot checks, and a --runner multipass lane for the openclaw QA suite that runs inside a disposable Linux VM and writes back the usual report, summary, and VM logs. These are dev-infra improvements that suggest the team is investing in regression coverage for multi-channel deployments.
Other Notable Changes
Seedance 2.0 video: Model refs added to the bundled fal provider with provider-specific duration, resolution, audio, and seed metadata fields.
MLX speech for macOS Talk Mode: Experimental local speech provider with explicit provider selection, utterance playback, interruption handling, and system-voice fallback.
Gateway commands.list RPC: Remote gateway clients can now discover runtime-native, text, skill, and plugin commands with surface-aware naming and serialized argument metadata.
Strict-agentic Pi execution contract: Opt-in contract for GPT-5-family runs so plan-only or filler turns keep acting until they hit a real blocker.
Ephemeral sessions: Non-persistent sessions alongside persistent ones.
MCP server plugin: OpenClaw can now host MCP servers as plugins, exposing tools to agents via the MCP protocol.
Notebook
Active Memory changes the agent context model in a specific way. Previous OpenClaw memory patterns required either explicit user prompting ("remember this") or manual retrieval turns. The new architecture shifts context retrieval before the main reply — the model decides what it needs and fetches it proactively. Whether this produces meaningfully different outputs in practice will be worth watching as adoption grows.
The exec-policy hardening and session-reset auth bypass back-to-back with the March CVE flood (nine CVEs in four days, per an Oasis Security finding) suggests security hardening is still a high-priority track for the team. The circuit breaker on provider failover is new infrastructure that implies production deployments are hitting real degradation scenarios.
Sources: Release notes · Active Memory docs · Memory overview · PR #63286 · PR #64050 · PR #64298
