OpenClaw 2.26

The Biggest Update This Month

February 2026 — Full Breakdown

February Has Been Insane 🔥

5
Releases This Week
50+
Bug Fixes (2.22–2.26)
80+
Contributors
2.22 — Mistral provider, auto-updater
2.23 — Kilo Gateway, security hardening
2.24 — Multilingual stop commands
2.25 — Android performance overhaul
2.26 — Secrets management, ACP agents, cron fixes

Cron Jobs — Finally Fixed

The #1 complaint from the community

What Was Broken

  • Double-run bug — Cron jobs firing twice. You'd get duplicate messages, duplicate actions.
  • Parallel runs failing — maxConcurrentRuns was ignored, jobs would queue-block each other.
  • Manual runs hanging — Triggering a cron manually could hang indefinitely.
  • Timing drift — Jobs drifted from schedule because timing used wall clock instead of last successful run.

What They Fixed (2.22–2.26)

Fix

Queue drain reliability — Guaranteed draining flag reset on pump failures. New enqueues rejected during restart drain windows instead of silently dying.

Fix

Safety timeout raised — Cron agentTurn outer timeout increased to prevent false 10-minute timeout races against longer agent sessions.

Fix

Stale message skipping — /stop now includes queued-backlog cutoff metadata, skipping stale messages without cross-session bleed.

Source: GitHub #27407, #27332, #27427

🔐

External Secrets Management

The headline feature of 2.26

openclaw secrets Workflow

audit
Scan for exposed secrets
configure
Set up secret refs
apply
Activate runtime snapshot
reload
Hot-reload without restart
Why it matters: No more API keys in plaintext config files. Strict target-path validation, safer migration scrubbing, and ref-only auth-profile support. Enterprise-grade secret handling.

Source: PR #26155 by @joshavant

ACP Thread-Bound Agents 🤖

ACP agents are now first-class runtimes for thread sessions.

spawn/send dispatch integration • lifecycle controls • startup reconciliation • runtime cleanup • coalesced thread replies

  • Agents can now live inside Discord/Telegram threads natively
  • Proper lifecycle — startup, cleanup, reconnection handled automatically
  • Thread replies are coalesced (no more message spam)

Source: PR #23580 by @osolmaz

Security Fixes 🛡️

Security

Config value redactionopenclaw config get now redacts sensitive values. No more accidentally leaking API keys in screenshots.

Security

Session history redaction — Tokens stripped from session history exports.

Security

Exec safe-bin hardening — Tighter path validation for executable binaries.

Security

Voice call DoS protection — Rate limiting on voice endpoints to prevent abuse.

Memory & Language Improvements 🧠

Mistral
New Provider + Embeddings
7
New Languages for Memory
FTS
Better Recall Across Languages
Stop-word filtering added for: Spanish, Portuguese, Japanese, Korean, Arabic, and more. Memory search now works properly for non-English users — huge for the global community.

Source: 2.22 changelog — PR #23845 by @vincentkoc

Typing Indicators — 4 Separate Fixes 💬

  • Stuck typing after completion — dispatch idle now always fires, even when dispatcher onIdle doesn't
  • TTL safety net — max-duration guardrails auto-stop typing even when cleanup signals are missed
  • Cross-channel leakage — typing in one channel no longer bleeds into another
  • Post-run ghost typing — keepalive ticks guarded with runComplete flag
If you've ever seen OpenClaw "typing..." forever after it already replied — that's gone now.

Platform Updates 📱

Synology
Native Chat Plugin
Android
Device Status + Notifications
Codex
WebSocket-First Transport
Gemini CLI
OAuth Risk Warning Gate
Synology NAS users: You can now run OpenClaw natively on your NAS with the Synology Chat plugin. No more Docker workarounds.

Built-in Auto-Updater ⬆️

New

Optional auto-update for package installs. Default: OFF

Stable channel: delayed rollout with jitter • Beta channel: hourly cadence

New

openclaw update --dry-run — Preview what would happen without actually updating. See channel, tag, target, and restart actions.

Recommendation: Keep it off for production setups. Great for dev/testing environments where you want to stay on the bleeding edge automatically.

Browser Extension — 6 Fixes 🌐

  • Handshake fix — No more stuck "..." badge when challenge frames arrive on connect
  • CORS fix — Extension token validation no longer fails cross-origin
  • Auth parity — ?token= query param now works on /json* endpoints
  • Reconnect resilience — CDP clients survive brief MV3 disconnect windows
  • Shutdown cleanup — Pending requests flushed before socket teardown
  • Route hardening — Malformed % paths return 400 instead of crashing
The Chrome extension has been a pain point. This batch of fixes should make it significantly more reliable.

⚠️ Breaking Changes

Breaking

Tool failure replies — Raw error details now hidden by default. You'll need to opt-in to see them.

Breaking

New DM scope default — Changed to per-channel-peer. Affects multi-sender setups — check your config.

Breaking

Legacy device-auth v1 removed — If you're still using v1 device auth, you must migrate.

Breaking

Onboard --reset scope change — Default is now config+creds+sessions. Workspace deletion requires --reset-scope full.

Multilingual Stop Commands 🌍

You can now stop OpenClaw in 9 languages:

English • Spanish • French • Chinese • Hindi • Arabic • Japanese • German • Portuguese • Russian

  • "stop openclaw", "stop action", "stop agent", "please stop" — all work
  • Trailing punctuation accepted: STOP OPENCLAW!!!
  • "do not do that" — treated as stop trigger
  • Strict standalone matching preserved — won't false-trigger mid-sentence

Source: 2.24 changelog — PR #25103 by @steipete and @vincentkoc

The Verdict

This is a stability release disguised as a feature release.

The cron fixes alone make this a must-update. Add secrets management, typing indicator fixes, and the browser extension overhaul — this is the most polished OpenClaw has ever been.

Cron
Finally Reliable
Secrets
Enterprise-Ready
Typing
No More Ghost Typing

How to Update

npm install -g openclaw@latest

or

openclaw update

Before updating: Check the breaking changes slide. If you use multi-sender DMs or device-auth v1, read the migration docs first.

🤔

What do you think?

Have you hit the cron double-run bug?

Are you excited about secrets management?

Drop your thoughts in the comments

Sources: GitHub openclaw/openclaw releases, PatchBot, community reports