Tom Hundley
OpenClaw is shipping fast. In about a week the project tagged v2026.6.1, v2026.6.2-beta.1, v2026.6.5-beta.1, and โ on June 7 โ v2026.6.5-beta.2. Blink and you miss three releases.
This is a practical digest of that newest beta: what's in it, what it means for your setup, and the upgrade steps to run today. I'm reading from the GitHub release notes, not a marketing page, so I'm only describing changes the changelog actually lists โ and where the public record is thin, I'll say so rather than guess.
One thing up front: this is a beta. The current npm stable (latest) line is 2026.6.1; 2026.6.5-beta.2 lives on the beta channel. So "should I upgrade now" splits in two โ and the answer differs for the features versus the security posture.
The theme is reliability: cleaner channel output, tougher tool-result handling, and session recovery that survives interruptions.
MCP tool handling got more defensive. If you wire Model Context Protocol (MCP) servers into OpenClaw, this is the headline. Tool results now coerce resource_link, resource, audio, malformed image, and other non-text/non-image blocks at the point they're materialized into the conversation. In plain terms: when an MCP server returns richer content than the model provider expects, OpenClaw normalizes it instead of forwarding something malformed. That matters because a wrongly-shaped tool result can trigger an Anthropic 400 and poison your session history โ parking a bad block in the transcript that breaks every later turn. As more people connect third-party MCP servers they don't control, handling weird tool output gracefully stops being optional.
Anthropic extended-thinking sessions recover better. Long reasoning sessions are fragile when the prompt cache expires or the Gateway restarts mid-conversation โ they can wedge. This release reworks stream startup so start events wait for message_start before generating, letting pre-generation signature errors hand off to the existing recovery-retry path instead of dying. Several related fixes ship too: deferring stream starts, stripping stale thinking signatures left over from compaction, and detecting unsigned thinking-only stalls. If you run OpenClaw 24/7, those are exactly the conditions you hit.
QQBot stops leaking the model's "thinking." QQBot now strips reasoning/thinking scaffolding before native delivery, so raw <thinking> content no longer leaks into replies.
Parallel is now a bundled web search provider. web_search gains Parallel as a built-in provider, with PARALLEL_API_KEY discovery, guarded endpoint handling, cache-safe session IDs, and onboarding-picker support.
Auth profiles moved into SQLite. Auth profiles now live in SQLite rather than looser storage, official npm plugin install records keep their trusted pins, and service-env planning skips unresolved placeholders that used to mask state-directory values. Plumbing โ but the right kind, moving credential/profile state into a structured store.
Channel and mobile durability fixes. The ones named in this release: Matrix (voice-message preflight, thread-aware read/reply), macOS (node mode no longer silently reconnects away from a healthy direct Gateway session), WhatsApp (restarts on per-account config changes, bounds startup waits, closes failed sockets), Google Chat (native approval-card actions), and iOS Talk / Android (clearer diagnostics and provider/model state surfacing).
A note on accuracy: some third-party summaries attach a longer platform list and a batch of provider media-download changes to this exact tag. I don't see those in the v2026.6.5-beta.2 notes, so I won't claim them. For a fast-moving beta, stick to what the changelog says.
Four tags in a week also tells you how to run this project: pin deliberately and read the notes. Betas move quickly and can change behavior between patch numbers. The model is npm dist-tags โ latest for stable, beta for prereleases โ so you pick your risk level by picking a channel.
OpenClaw ships on npm with a built-in updater. From the project's own README:
# Fresh global install (stable channel)
npm install -g openclaw@latest
# pnpm also works:
# pnpm add -g openclaw@latest
# Update an existing install โ pick your channel
openclaw update --channel stable # latest stable line
openclaw update --channel beta # includes 2026.6.5-beta.2
# After any upgrade, run the health check
openclaw doctoropenclaw doctor isn't optional ceremony. Config recovery has gotten stricter across the recent line, and doctor is how you learn whether your config, exec-approval environment, or gateway setup tripped a new validation check. Run it every time you move versions.
Here's what turns "maybe later" into "this week." OpenClaw has had a rough 2026 on vulnerabilities, and the worst are exactly the kind that hit an instance you forgot to patch. A few that are publicly documented and already fixed in current releases:
config.apply path to set an unsafe cliPath and run commands as the gateway user. Patched in 2026.1.20.2026.3.28.2026.4.22).The pattern is consistent: WebSocket attack surface, the Gateway as a high-value target, sandbox boundaries that needed real hardening. The lesson isn't that OpenClaw is uniquely unsafe โ it's that running a months-old build of a fast-moving, network-exposed agent is a live risk. Every release in this line continues the hardening trend; the SQLite auth-profile and trusted-pin work in beta.2 is part of that arc.
Beyond upgrading, do this today:
cliPath values.The skills/plugin supply-chain side โ vetting AgentSkills, ClawHub, scanning for hidden instructions โ is a separate threat surface I won't re-cover here; see our earlier OpenClaw skill-workshop guide and Vibe Coder Security posts. This release is about the runtime and transport layer, and the takeaway is simpler: stay current.
Is 2026.6.5-beta.2 the version I should install?
Only if you want prerelease features and can tolerate churn. It's on the beta channel; current stable (latest) is 2026.6.1. For production-ish use, stay on stable with openclaw update --channel stable; for the newest fixes, use --channel beta. Run openclaw doctor afterward either way.
What's the single most useful change here?
For most people, the MCP tool-result coercion โ it stops a malformed tool response from throwing provider errors and corrupting session history, a failure mode that grows as you connect more third-party MCP servers. The Anthropic extended-thinking recovery is a close second for long-lived sessions.
Does upgrading fix the OpenClaw CVEs I've read about?
The major documented ones โ ClawBleed (CVE-2026-25253), the local RCE (CVE-2026-25593), the pair-approve escalation (CVE-2026-33579), and the Cyera "Claw Chain" sandbox-escape set โ are already patched in current releases. Staying recent is how you stay covered; an old build is the actual risk. Upgrading is necessary but not sufficient: also lock down Gateway exposure and auth.
I expose my Gateway remotely โ is that safe after this update?
Treat a publicly reachable Gateway as a standing risk regardless of version. Several documented vulnerabilities assume network or local reachability of the Gateway. Bind to localhost or a private network, require Gateway auth, and reach it over a VPN or authenticated reverse proxy.
What about provider media-download or cron-retry changes I saw mentioned for this release?
I couldn't confirm those in the v2026.6.5-beta.2 notes, so I'm not claiming them as part of this drop. The verifiable provider-side change here is Parallel becoming a bundled web_search provider. When in doubt, read the notes for the exact tag you're installing โ at this cadence, details shift patch to patch.
Discover more content: