OpenClaw 2026.4.9: REM Backfill, Diary Timeline, ClawHavoc

OpenClaw 2026.4.9 just shipped, and the headline is the memory system: a grounded REM backfill lane through the new rem-harness CLI, a structured diary timeline UI in Control, and a meaningful round of security hardening on top of the dreaming pipeline introduced earlier this month. If you turned dreaming on the day 2026.4.5 landed, you've probably had the same nagging thought ever since — what about all the daily notes I wrote before dreaming existed? 4.9 is the answer.

This release also tightens the Codex handoff, ships QA character eval reports with parallel runs, polishes Android pairing and Matrix gateway startup, and adds an iOS CalVer / TestFlight pipeline. It is the broadest 4.x release so far, and most of it is paying down debt from the brutal first quarter of 2026.

Grounded REM Backfill: Replaying Old Notes Into Dreams

OpenClaw's dreaming system runs three phases — Light, REM, and Deep — that promote signals from your agent's daily traces into MEMORY.md and narrate the run in DREAMS.md. The catch, until now, was that dreaming only saw notes written after you enabled it. Anything older just sat there.

2026.4.9 introduces a backfill lane through the new rem-harness CLI, alongside live short-term promotion integration. You point it at a historical directory of daily notes, and dreaming replays them into the corpus — Light promotion, Deep promotion, REM staging — using the same pipeline as a normal sweep. No second memory stack, no parallel store, no migration script.

openclaw memory rem-harness --path ~/.openclaw/memory/daily

Two things make this safer than it sounds. First, backfill runs through the same grounded promotion path as live dreaming, so each promoted memory keeps a pointer back to the source note and its original date — old conversations stay tagged as old. Second, the diary view (more on that below) ships backfill and reset controls so you can stage backfill signals, inspect them, and walk them back if a run goes sideways.

If you're running 4.9 against months of pre-dreaming history, do a small slice first. Pick a single week of daily notes, harness them, then look at what got promoted in DREAMS.md before pointing the CLI at the full archive.

The Diary Timeline UI

The Dream Diary itself isn't new — it landed earlier this cycle as a per-session audit log of what was promoted, modified, or discarded. What 4.9 adds is structure on top of it: a structured diary view with timeline navigation and backfill/reset controls, plus traceable dreaming summaries that tie each promoted memory back to the trace that produced it.

Practically, this turns DREAMS.md from a long file you scroll through into something you can navigate. You can see which sweep promoted a given fact, why, and which signal class (Light, REM, or Deep) it came from. For anyone debugging a memory regression — "why does my agent suddenly think the project deadline is in March?" — this is the first time the answer is one click away instead of a grep.

Memory Aging: Retention Ceilings That Actually Work

OpenClaw's memory model is Markdown files on disk. There is no hidden vector store, no shadow database — the model only remembers what's written to MEMORY.md. That makes aging conceptually simple, but it also means unbounded retention has real consequences: a breach exposes everything your agent has ever consolidated.

4.9 leans into tunable recency and age-ceiling controls inside the dreaming config so you can decide how aggressively old facts decay and at what point they get archived or pruned. For fast-moving project work, a short half-life keeps retrieval focused on the last few weeks. For a long-running personal companion agent, you want the opposite. Pick a ceiling and commit to it — "we'll figure it out later" is how you end up with a four-year-old MEMORY.md that knows secrets you forgot you ever told it.

Security Hardening

This is where 4.9 earns its keep. The two findings to keep on a sticky note:

• CVE-2026-25253 — the one-click WebSocket / token-leakage path where OpenClaw (aka clawdbot / Moltbot) read gatewayUrl from a query string and opened an authenticated WebSocket without prompting, sending the token along. CVSS 3.1 of 8.8, CWE-669, fixed in 2026.1.29. If you're somehow still on a pre-1.29 build, stop reading and upgrade.
• ClawHavoc — Koi Security's audit of the ClawHub marketplace turned up 341 malicious skills (now 824 as of their February follow-up), with 335 traced to one C2 cluster including 91.92.242.30. Not a code vulnerability — a trust vulnerability. Audit which skills your agents have installed.

4.9 itself ships several quieter but important security deltas per the release notes:

• Browser SSRF quarantine strengthened after interaction-driven navigations, so a redirect through a trusted-looking click can't be used to reach internal hosts.
• Runtime-control and browser-control env vars are now blocked from untrusted workspace files — the workspace can't silently rewire the agent.
• Node exec event sanitization, so remote node output can't inject System:-prefixed content into a transcript and impersonate trusted role markers.
• Plugin auth collision prevention during non-interactive onboarding, removing a class of race conditions where two plugins could fight over the same auth slot during first-run.
• Provider auth aliases, letting provider variants share env vars and auth profiles cleanly instead of duplicating credentials per variant.

If you're enabling REM backfill on conversation history that predates the 1.29 patch, audit it first. Backfilling over notes that contain injected prompts can quietly re-inject those payloads into your consolidated memory.

Music, Codex, iOS, and the Wider Picture

Music generation through Google Lyria (lyria-3-clip-preview for 30-second clips, lyria-3-pro-preview for multi-minute tracks, both authenticated via the x-goog-api-key header) and MiniMax has been part of OpenClaw since 2026.4.5. 4.9 doesn't add new providers — instead it ships QA character eval reports with parallel runs (so character regressions show up before users do), an iOS CalVer pipeline with TestFlight iteration management, and a tighter Codex handoff so multi-tool agents pass context cleanly between coding and content surfaces.

What To Do This Week

1. Upgrade to 2026.4.9 if you're not already past 1.29 — the security delta alone is worth it.
2. Try rem-harness on one week of pre-dreaming daily notes; review the resulting DREAMS.md entries before doing more.
3. Set a real retention ceiling on memory aging. Don't leave it unbounded.
4. Audit your installed ClawHub skills against the Koi Security advisory.

Key Takeaways

• OpenClaw 2026.4.9 ships grounded REM backfill — replay months of pre-dreaming daily notes through the same Light/REM/Deep promotion path via the new openclaw memory rem-harness --path CLI, with live short-term promotion integration.
• The Dream Diary gets timeline navigation and backfill/reset controls. Each promoted memory traces back to its source signal and class, making memory-regression debugging one click instead of a grep.
• Security delta is broad: per release notes, browser SSRF quarantine post-navigation, untrusted-workspace env-var blocking, node exec sanitization, plugin auth collision prevention, and provider auth aliases.
• CVE-2026-25253 (one-click WebSocket token leak, CVSS 8.8) was fixed in 2026.1.29 — if you predate that build, upgrade now. ClawHavoc is a ClawHub marketplace trust problem (Koi Security: 335 skills tied to one C2 cluster including 91.92.242.30); audit installed skills.
• Music generation via Google Lyria (30-second lyria-3-clip-preview, multi-minute lyria-3-pro-preview) and MiniMax landed in 2026.4.5; 4.9 polishes the Codex handoff, adds QA character eval reports with parallel runs, and stands up an iOS CalVer + TestFlight pipeline.