[Release] openclaw/openclaw v2026.4.14-beta.1: openclaw 2026.4.14-beta.1

OpenClaw v2026.4.14-beta.1 is a maintenance release addressing 30+ security fixes, stability improvements, and feature enhancements across messaging platforms, browser automation, scheduling, memory systems, and agent tooling. Key improvements include replacing markdown parsing to prevent ReDoS attacks, fixing Telegram forum topic handling, correcting cron scheduler behavior, and enforcing SSRF/security policies across multiple integrations. The release emphasizes background task optimization and proper context preservation across system components.

Key Points

• •Security: Replace marked.js with markdown-it to prevent ReDoS attacks freezing the Control UI via maliciously crafted markdown
• •Security: Enforce SSRF policy on browser snapshot/screenshot/tab routes and Microsoft Teams SSO signin invokes
• •Security: Force owner downgrade for untrusted hook:wake system events and redact sourceConfig/runtimeConfig in config snapshots
• •Telegram: Surface human topic names in agent context and plugin metadata by learning from forum service messages
• •Cron/Scheduler: Fix next-run calculation to prevent refire loops and preserve error-backoff floor during maintenance repair
• •Browser/CDP: Allow local loopback CDP control plane to bypass SSRF policy for managed Chrome readiness and status probes
• •Auto-reply: Keep sendPolicy:deny from blocking inbound message processing for observer-style setups while suppressing outbound delivery
• •Memory: Move recalled memory to hidden untrusted prompt-prefix path instead of system prompt injection; fix QMD to stop treating legacy lowercase memory.md as second default
• •Context Engines: Run opt-in turn maintenance as idle-aware background work so foreground turns don't wait on proactive maintenance
• •Outbound Delivery: Persist originating session context on queued delivery entries and replay during recovery to maintain media policy context after restart

Workflow Diagram

Concepts