OpenClaw v2026.3.28, released March 28 and labeled a Tokyo pre-ClawCon drop, adds an async requireApproval mechanism to before_tool_call plugin hooks — a direct response to CVE-2026-29607, a medium-severity approval bypass that let attackers execute arbitrary code after duping users into approving a single safe-looking command. The fix is the lead. The nine CVEs that dropped in the preceding four days are the context that explains why it had to happen.
CVE-2026-29607 exploited the allow-always wrapper feature. Approve a wrapped command once — say, a directory listing — and the wrapper retains approval at its level, not the inner command's. Swap the inner payload to something malicious afterward. The agent re-runs the same wrapper, the wrapper says "already approved," no second prompt fires, remote code execution follows. The OpenClaw CVE flood blog post describes it plainly: "Swap the inner payload later → RCE without re-prompting." The patch in v2026.2.22 closed that hole.
The old approval system relied on the agent cooperating with a soft block — a code suggestion, not a hard constraint. A sufficiently motivated or compromised wrapper could ignore it. The new before_tool_call hook mechanism is not a suggestion. It is a two-phase gateway RPC operation: the gateway freezes agent execution at the RPC layer and waits for user approval before the tool call proceeds. The agent cannot bypass a freeze it does not control.
Also hardened in PR #55339: approval IDs are now host-generated via randomUUID() rather than supplied by plugins, eliminating forged or predictable ID attacks. The schema caps timeout at 600 seconds, restricts severity to an info/warning/critical enum, and limits titles to 80 characters and descriptions to 256. Plugins cannot override these constraints.
Nine CVEs landed between March 18 and 21, as the OpenClaw blog documented. One scored 9.9 CVSS. Six were high severity. Two medium — the kind of number that buries everything else in a security feed. But those nine are a fraction of the total: the jgamblin/OpenClawCVEs tracker lists 156 total advisories, with 128 still awaiting CVE assignment. This is an ongoing cleanup, not a clean slate.
Among them: CVE-2026-22172, the 9.9 WebSocket authorization bypass. Connect to an OpenClaw gateway via WebSocket using shared-token or password auth. Tell the server you are operator.admin during handshake. The server complies. Full gateway access, no toolkit required. As the blog post describes it: "No exploit toolkit. No buffer overflow. You just ask."
The patch-to-disclosure timing is notable. Five of the nine CVEs — CVE-2026-28460, CVE-2026-29607, CVE-2026-32032, CVE-2026-32049, CVE-2026-22171 — were patched in v2026.2.22 released around February 22. The CVE numbers were not published until March 18 through 21. That is roughly a month where the fixes existed but the vulnerabilities had no public names or descriptions. Whether that lag reflects coordinated disclosure process, CVE assignment backlogs, or something else is not clear from the available record. The practical implication: anyone running a version between late February and mid-March was on patched code while the vulnerabilities had published CVE numbers. The exposure window runs the other direction.
v2026.3.28 also ships a handful of non-security additions worth noting. The xAI bundled provider moves to the Responses API with first-class x_search, auto-enabling the xAI plugin from owned web-search and tool config. MiniMax adds an image-01 provider with generate and image-to-image editing; the legacy M2, M2.1, M2.5, and VL-01 models are removed. Gemini CLI joins Claude CLI and Codex CLI as a bundled CLI backend, with bundled setups no longer requiring manual plugins.allow entries. The Qwen portal.qwen.ai OAuth integration is removed entirely — migrate to Model Studio or nothing. And a new openclaw config schema command prints the JSON schema for openclaw.json, which is the kind of developer experience addition that ships quietly and gets used constantly.
For agent infrastructure builders, the approval mechanism change is the durable technical story. The difference between "agent cooperates with soft block" and "gateway enforces two-phase freeze" is the difference between a security control and a suggestion. It means approval policy can now be a real governance constraint rather than an honor system plugins can opt out of. Whether that changes how enterprises deploy OpenClaw depends on whether the compliance benefits of hard enforcement outweigh the latency cost of synchronous approval. That tradeoff is worth watching in the six to twelve months of production deployments it will take to answer.
The nine CVEs tell a different story: there was a larger vulnerability surface here than anyone outside the project knew. The 128 unassigned advisories suggest the disclosure pipeline is still working through the backlog. The next batch may not land as nine-in-four-days — or it may. OpenClaw has 339K GitHub stars and a substantial enterprise install base, as abmedia.io reported on the release. The infrastructure is too deployed for these to stay quiet for long.
