OpenClaw released a patch on 2026.4.21 to fix an authorization bypass vulnerability, with the default graphic entering GPT-Image-2.
According to Sentinel Beating monitoring, the open-source AI Agent platform OpenClaw released version 2026.4.21 on the same day. This update was mainly to integrate the latest image generation model released by OpenAI and to patch a command authorization vulnerability.
The system's built-in image generation pipeline and automated testing now default to using `gpt-image-2`, with new 2K and 4K size hints added to the documentation and metadata. If the preferred model fails during generation, the gateway will now log the error before triggering an automatic fallback, preventing the previous silent switch that made it difficult to detect errors from the OpenAI interface.
On the security front, a patch was applied for a command bypass vulnerability (#69774). Previously, if the owner-exclusive command control (`enforceOwnerForCommands`) was enabled without a whitelist configured (`ownerAllowFrom`), regular users could exploit a broad fallback policy to bypass restrictions. The system now mandates owner verification or operator.admin privileges.
In addition, in routine patches, the browser plugin will no longer hard wait for a timeout when it cannot find an accessibility node but will promptly intercept. Also, the issue with outgoing Slack messages not staying in the original thread has been resolved.
