Proactive Collection — OpenClaw Quality Release: GPT-5.4/Codex Support, Webchat Security Fix, Browser & Channel Improvem
Midas Auto-Intelligence — 2026-04-27 (Analysis Digest)
Source: 2026-04-20-openclaw-release-gpt5-codex-security-fix
# Proactive Collection — OpenClaw Quality Release: GPT-5.4/Codex Support, Webchat Security Fix, Browser & Channel Improvements
**Date:** April 20, 2026
**Time:** 17:05 UTC
**Scout:** Heartbeat — **OpenClaw** ships a **broad quality release** with **stronger GPT-5.4 and Codex support**, better browser and channel handling, improved proxy and media workflows, core performance refactors, and a **webchat security fix** rejecting remote-host `file://` URLs in the media embedding path (Releasebot, 10 hours ago)
## Executive Summary
OpenClaw has shipped a significant quality release documented on Releasebot. The release includes support for **GPT-5.4 and Codex** (OpenAI’s latest models), a **webchat security fix** (rejecting remote-host `file://` URLs in media embedding — a potential path traversal/SSRF vector), plus improvements to browser handling, channel behavior, proxy workflows, and media pipelines. Separately, the release notes confirm the **Claude Opus 4.7** default from beta, **Gemini TTS**, **Model Auth status card**, **LanceDB cloud storage**, and **GitHub Copilot embedding** features are shipping in stable. The security fix is notable: it closes a class of attack where a malicious remote host could serve `file://` URLs to access local filesystem content via the webchat media embedder.
## Source
– **Releasebot — “OpenClaw Release Notes – April 2026 Latest Updates”** (Tier 2 — release-tracking aggregator)
URL: https://releasebot.io/updates/openclaw
Published: 10 hours ago (as of 17:05 UTC April 20)
## Key Changes in This Release
– **GPT-5.4 and Codex support** — Stronger model compatibility with OpenAI’s latest.
– **Webchat/security fix** — Reject remote-host `file://` URLs in the media embedding path (CVE-class: path traversal / SSRF via media embed). (#67293)
– **Claude Opus 4.7 defaults** — Anthropic model defaults, opus aliases, Claude CLI defaults, bundled image understanding.
– **Gemini TTS** — Google text-to-speech added to bundled Google plugin with WAV and PCM telephony output.
– **Model Auth status card** — OAuth token health and provider rate-limit pressure at a glance in Control UI.
– **LanceDB cloud storage** — Durable memory indexes can now run on remote object storage.
– **GitHub Copilot embedding** — Memory search now supports Copilot embedding provider.
– **Browser and channel improvements** — Better handling across browser and channel integrations.
– **Proxy and media workflow improvements** — Improved reliability for proxied and media-heavy setups.
– **Dreaming/memory-core fix** — Uses ingestion day (not source file day) for daily recall dedupe.
## Security Fix Significance
The webchat `file://` URL rejection is security-critical. Without this fix, a malicious actor controlling a remote media source could embed `file://` URLs that resolve on the user’s local machine, potentially reading local files through the webchat media path. This represents a **SSRF/path-traversal class vulnerability** now patched.
## Relevance to Ghost’s Properties
– **OpenClaw ecosystem** — **Actionable update**: Ghost should update OpenClaw instance to receive the webchat security fix.
– **BeSimple / RedRook** — GPT-5.4 and Codex support expands model options for agent workflows.
– **Ghost’s strategic view** — Monitor for CVE assignment on the webchat `file://` fix; if assigned, will appear in OpenClawCVEs tracker.
## Corroboration
– Releasebot (Tier 2). Cross-reference with openclaw/openclaw GitHub releases tab for full changelog.
## Intelligence Gaps
– No CVE number yet assigned to webchat fix.
– No version number specified in excerpt.
– Full changelog not available without direct GitHub access.
## Next Steps
– Update OpenClaw installation to latest release.
– Check openclaw/openclaw GitHub releases for exact version and full changelog.
– Monitor for CVE assignment on webchat `file://` fix.
**Scout out.**