🤖 Ghostwritten by Claude Opus 4.8 · Fact-checked & edited by GPT 5.5

OpenClaw v2026.6.10-beta.1: What's Actually New

OpenClaw v2026.6.10-beta.1 is a reliability, security, and integration release. The headline is not a flashy new user-facing feature; it is that the agent loop is less likely to lose state, messaging connectors behave more consistently, and operators get better controls for session management.

The release train also includes alpha variants through v2026.6.15-alpha.1. Across that train, OpenClaw adds model catalog entries for GLM-5.2 and Claude Haiku 4.5, scopes SSH tunnel preflight behavior to loopback, removes device-backed node pairings, repairs legacy Codex routes, and expands delivery support across Slack, Telegram, Discord, and WhatsApp.

There are two operational caveats. First, this is a beta tag, while the published NPM package remains at v2026.5.27, so teams should pin and test deliberately rather than assuming a simple package upgrade path. Second, CVE-2026-33579, an unauthorized-access flaw in the /pair approve flow, remains unpatched. That security context matters before exposing any OpenClaw node beyond trusted boundaries.

What Changed in the Agent Core

TL;DR: OpenClaw v2026.6.10-beta.1 fixes several state-loss problems in the agent loop, including pending subagent announcements, empty chat history, media index drift, and compaction alias resolution.

The most important agent fixes are quiet ones. They address the kind of long-running-session failures that are hard to diagnose because the system may keep responding even after its internal state has drifted.

This release preserves pending subagent announcements, so a parent agent no longer loses track of work that has been delegated but not yet surfaced. That matters for orchestration: when a subagent starts or finishes work, the surrounding session needs to preserve that event rather than silently flatten it out of the conversation.

Three related reliability fixes tighten the loop further:

• Chat history is kept non-empty. This prevents failures caused by compaction or trimming leaving a session with no remaining messages.
• Media index alignment is corrected. Attachments and image references stay aligned after history edits.
• Compaction alias resolution is fixed. Model and tool aliases resolve correctly after a session is compacted instead of pointing at stale references.

The practical result is better durability for long-lived sessions. Agents that run over multiple turns, invoke subagents, carry media, or compact their context should now degrade less often due to internal bookkeeping errors.

Messaging and CLI Workflows

TL;DR: Slack gains outbound message_sent hooks, Telegram gets richer structured output and thread-create CLI remapping, Discord and WhatsApp delivery improve, and new CLI workflows make sessions easier to manage.

The messaging updates are likely to be the most visible changes for teams running OpenClaw as a chat-native agent host.

Platform	What changed	Why it matters
Slack	Outbound message_sent hooks	Automation can react when the agent sends a message, not only when it receives one.
Telegram	Rich tables and lists, plus thread-create CLI remapping	Structured output is easier to read, and thread creation from the CLI maps correctly.
Discord	Delivery hardening	Message delivery is more consistent.
WhatsApp	Delivery hardening	Message flow is more reliable on a difficult integration surface.

Slack's outbound message_sent hook is especially useful for automation. It gives downstream systems a clean event when OpenClaw posts a message, which makes it easier to log outbound activity, trigger follow-up workflows, or monitor agent behavior.

Telegram's changes improve presentation quality. Tables and lists now render as structured content rather than collapsing into hard-to-read text, which is useful for summaries, reports, and channel updates.

The CLI also gets several workflow improvements aimed at session hygiene:

• Rename sessions from chat.
• Compact sessions explicitly.
• Display session duration.
• Preview messages with a dry-run workflow before sending.

The dry-run message preview is the safest habit to adopt first. It lets operators inspect an outbound message path before committing the send, reducing accidental posts into the wrong channel or thread. Explicit compaction is also useful for long-running agents because it allows compaction at deliberate boundaries rather than waiting for automatic behavior.

Model Catalog Updates

TL;DR: GLM-5.2 and Claude Haiku 4.5 join the model catalog, provider IDs are normalized, tool-schema recovery is safer, and legacy Codex routes are repaired.

OpenClaw's model catalog now includes GLM-5.2 and Claude Haiku 4.5. The release also normalizes provider IDs, which should make routing configuration more predictable across providers with different naming conventions.

The other important model-routing improvement is safer tool-schema recovery. When tool or function schemas are malformed, the system is better positioned to recover instead of breaking the turn outright. That is an operationally important fix because tool schemas often sit at the boundary between model output, orchestration code, and provider-specific formatting requirements.

The release train also repairs legacy Codex routes. That matters for older configurations that still reference Codex-era routing paths; those routes should no longer fail because of the repaired path handling.

Taken together, these changes make routing less brittle. The value is not only the addition of two catalog entries, but the cleanup around identifiers, schemas, and backward-compatible routing paths.

Security Notes for This Release Train

TL;DR: The SSH tunnel preflight is now loopback-scoped, device-backed node pairings were removed, the minimum safe baseline is v2026.3.24, June 2026 trains require patch 5 or higher, and CVE-2026-33579 remains unpatched.

The most notable hardening change is that the SSH tunnel preflight is now scoped to loopback. In practical terms, the tunnel endpoint is constrained to the local host boundary rather than being reachable across the broader network.

That is a meaningful reduction in attack surface for nodes running on shared infrastructure or developer machines connected to untrusted networks. A service bound to loopback is addressable from the same machine, not from other machines on the LAN.

OpenClaw also removed device-backed node pairings, closing another path for unexpected node access.

The remaining security caveat is significant: CVE-2026-33579 remains unpatched. The flaw affects the /pair approve flow and allows unauthorized access. Until a fix ships, the pairing endpoint should not be exposed to untrusted networks, and access to it should be tightly restricted.

For baseline safety, OpenClaw deployments should be on v2026.3.24 or later. For June 2026 release trains specifically, use patch 5 or higher.

Frequently Asked Questions

TL;DR: Treat this release as a beta evaluation build, pay attention to the NPM package gap, and do not expose the unpatched pairing endpoint.

Q: Should OpenClaw v2026.6.10-beta.1 run in production?

Not without staging and explicit version pinning. The reliability and security improvements are meaningful, but this is still a beta tag, and the published NPM package remains at v2026.5.27. Test messaging integrations, model routes, and session workflows before promoting it.

Q: What is the minimum safe OpenClaw version?

The minimum safe baseline is v2026.3.24. For June 2026 release trains, use patch 5 or higher.

Q: What is CVE-2026-33579, and is it fixed here?

CVE-2026-33579 is an unauthorized-access flaw in the /pair approve flow. It remains unpatched in this release train, so the pairing endpoint should stay off untrusted networks and be restricted to trusted operators.

Q: What do GLM-5.2 and Claude Haiku 4.5 change for routing?

They expand the model catalog and can be referenced through normalized provider IDs. The related tool-schema recovery improvements also make routing less fragile when schemas are malformed.

Q: Which CLI changes are new in this train?

The new workflows include renaming sessions from chat, explicit session compaction, session duration display, and dry-run message preview. Older versions should not be assumed to support those workflows.

Key Takeaways

TL;DR: This release is about operational maturity: stronger agent state handling, better messaging delivery, safer session workflows, expanded model routing, and tighter security boundaries.

• OpenClaw v2026.6.10-beta.1 is primarily a reliability and integration release.
• Agent state fixes cover pending subagent announcements, non-empty chat history, media index alignment, and compaction alias resolution.
• Slack, Telegram, Discord, and WhatsApp receive messaging improvements, with Slack outbound hooks and Telegram structured rendering standing out.
• CLI workflows now cover session renaming from chat, explicit compaction, duration display, and dry-run message preview.
• GLM-5.2 and Claude Haiku 4.5 join the model catalog with normalized provider IDs and safer tool-schema recovery.
• SSH tunnel preflight behavior is now loopback-scoped, and device-backed node pairings were removed.
• CVE-2026-33579 remains unpatched, so pairing endpoints must stay protected.

Conclusion

TL;DR: OpenClaw's June 2026 beta train improves the less glamorous parts of agent infrastructure—the parts that determine whether a demo can become a dependable system.

OpenClaw v2026.6.10-beta.1 is best understood as a hardening release. It improves agent state durability, messaging delivery, routing consistency, session operations, and local network boundaries.

That combination matters because chat-native agent systems tend to fail quietly: a missed subagent announcement, a malformed tool schema, an attachment index that drifts, or an endpoint exposed too broadly may not look dramatic at first. Over time, those issues determine whether an agent can be trusted to run unattended.

The sensible path is deliberate adoption: pin versions, test integrations, use v2026.3.24 or later as the minimum safe baseline, require patch 5 or higher for June 2026 trains, and keep /pair approve away from untrusted networks until CVE-2026-33579 is patched.