SL
Skeptik Log
reddit

OpenClaw 4.20 and 4.21: Kimi K2.6 Default, GPT Image 2, and Another Auth Hole Patched

By u/lucienbaba Original ↗
#OpenClaw #Kimi-K2.6 #OpenAI-Image-2 #BlueBubbles #release #security-patch #Reddit
Note: Sections highlighted in blue are research additions for completeness, not present in the original thread.

OpenClaw 4.20 brings Kimi K2.6 as default and a stack of infrastructure fixes, but broke Telegram runtimes and wiped API keys for some users. 4.21 landed seven hours later with GPT Image 2 and a second auth vulnerability patch in two months, confirming the usual pattern: upgrade, break things, hotfix before breakfast.

OpenClaw shipped 4.20 on April 21 and, barely seven hours later, 4.21 at 2:30 AM UTC. The cadence tells you everything: @steipete pushed a feature-packed release, the community found the holes, and the hotfix landed before most users had even finished reading the changelog.

Here’s what actually matters, what the Reddit thread missed, and where it still breaks.

📋 Source: Reddit r/myclaw, GitHub, OpenClaw release notes

Why you should care

If you run OpenClaw in production, this double-release is a mixed bag. On one hand: Kimi K2.6 as the default model, GPT Image 2 support, cron state separation, session pruning, and a serious auth vulnerability patched. On the other: another round of broken Telegram runtimes, vanished API keys, and a security model that keeps having edge cases where permissive fallback grants more access than intended. Let’s walk through what changed, what broke, and what the Reddit thread glossed over.

4.20: Kimi K2.6 takes the wheel

The headline is the Kimi K2.6 default. Moonshot’s newest model went GA the same day (April 21), and OpenClaw moved fast: all bundled Moonshot surfaces, from web search to media understanding, now default to kimi-k2.6 while keeping kimi-k2.5 around for compatibility.

This is bigger than it sounds. Kimi K2.6 isn’t an incremental bump over K2.5:

  • 1 trillion parameters (MoE, 384 experts, 32B active per token)
  • 262K token context with automatic compression
  • 300 sub-agents across 4,000 steps in a single swarm for up to 12 hours
  • 58.6% on SWE-Bench Pro, 66.7% on Terminal-Bench 2.0
  • Vercel reported over 50% improvement on their internal Next.js benchmark

Also on the model front: thinking.keep = "all" is now supported on K2.6 specifically, while it gets stripped for other Moonshot models when tool_choice is pinned. And tiered model pricing from cached catalogs is now supported, with bundled K2.6/K2.5 cost estimates showing up in token-usage reports.

4.20: The infrastructure work nobody talks about

The Reddit thread glosses over the structural changes, but these are arguably more important for long-term stability:

  • Cron state split - jobs-state.json separates from jobs.json. Git-tracked job definitions stay stable while execution state mutates. If you’ve ever had cron jobs mysteriously drift between installs, this fixes it.
  • Aggressive session maintenance - Entry cap and age prune enforced by default; oversized stores pruned at load time. This directly prevents gateway OOM from accumulated cron/executor session backlogs, which has been a quiet killer for heavy users.
  • Compaction notices - Opt-in start and completion notices during context compaction. Small UX win, but if you’ve ever watched your agent go silent for 30 seconds and wondered if it crashed, you’ll appreciate this.
  • BlueBubbles group system prompts - Per-group behavioral instructions (tapback conventions, threaded-reply rules) injected every turn via GroupSystemPrompt, with * wildcard fallback. Closes #60665.
  • Hardened GPT-5 prompt - Stronger completion bias, weak-result recovery, verify-before-final guidance in the system overlay.
  • Mattermost draft streaming - Thinking, tool activity, and partial replies stream into a single draft post that finalizes in-place. Clean UX for Mattermost users.
  • Detached task lifecycle - New plugin runtime contract so executors can own detached task lifecycle and cancellation without reaching into core internals.

Fixes the Reddit thread didn’t cover: 4.20 also ships several significant fixes. The Anthropic API scoping bug was fixed: api: "anthropic-messages" now only defaults to Anthropic-owned providers, so OpenAI Codex and other providers without explicit api settings no longer get silently rewritten to the wrong transport (#64534). An SSRF guard was added to QQBot direct-upload URL paths. The gateway now enforces allowRequestSessionKey on template-rendered mapping session keys. And the Codex transport normalization fixes legacy openai-completions overrides on default OpenAI/Codex hosts, while leaving custom proxies untouched.

4.21: GPT Image 2 and the second auth fix in two months

4.21 is surgical. The most visible change is OpenAI Image 2 as the default image-generation provider, with 2K/4K size hints in the metadata. GPT Image 2 launched April 21, 2026 and hit #1 on the Image Arena leaderboard within 12 hours, beating every other model across all categories. Making it the OpenClaw default is the right call.

But the important change is the auth fix.

This is the second owner-command privilege escalation OpenClaw has patched in two months. The first, GHSA-r7vr-gr74-94p8, was fixed in 2026.3.12: non-owner senders who were command-authorized could reach /config and /debug. Now #69774 closes a different but related gap: when enforceOwnerForCommands=true and commands.ownerAllowFrom is unset, a wildcard allowFrom on a channel or an empty owner-candidate list was being treated as sufficient permission for owner-only commands. In plain terms: anyone on a permissively-configured channel could execute owner commands. The fix requires actual owner identity (owner-candidate match or operator.admin) instead of falling through to permissive defaults.

This is a pattern worth watching. OpenClaw’s permission model keeps having edge cases where permissive fallback quietly grants more access than intended. Each fix tightens the boundary, but the fact that this keeps happening suggests the authorization layer needs a more systematic audit rather than point fixes.

Other 4.21 fixes:

  • openclaw doctor now recovers missing channel/provider dependencies from doctor paths without reinstalling everything (directly addressing the grammy/Telegram runtime regression from 4.20)
  • Failed image providers get logged at warn before automatic fallback
  • Slack thread aliases are preserved in generic runtime sends
  • Invalid browser accessibility refs in act are rejected immediately instead of timing out
  • The node-domexception alias is mirrored into root package.json overrides to block the deprecated google-auth-library → gaxios → node-fetch → fetch-blob → node-domexception chain

The breakage: what 4.20 actually broke

The r/myclaw thread is the usual mix of horror and shrugs.

u/Acceptable-Tie278 got hit hard: “2026.4.20 broke my whole setup! Deleted my model api keys removed discord and my iMessage just frucked it 🤦‍♂️”

Three subsystems dead in one update. OP u/lucienbaba shrugs it off: “Not even surprised at this point. I just cope by telling myself this is the cost of innovation ;)”

u/ScroogeCa plays it safe: “Thank you for beta testing, think I’ll wait for 4.21”. u/thesongofthunder corrects: “You mean you’ll wait for 4.22 since 4.20 and 4.21 dropped almost instantly”. Fair, given 4.21 is literally the hotfix for 4.20’s fallout.

u/CM0RDuck asks the real question: “Do you people not back up anything?”

u/joaquindlz (in Spanish) reports zero issues: “Yo le pedí a OC que me actualice a la 4.20 y lo hizo perfecto sin romper nada.” The damage isn’t uniform. It depends heavily on your specific config, install method, and which channels you rely on.

u/fernfahrer reports Telegram file sending broke. u/Solotonium offers a workaround for Telegram issues dating back to 4.9: ask OpenClaw’s TUI to check the source code for the Telegram schema and suggest config changes.

The grammy bug is real and documented. Issue #69837 confirms that updating to 4.20 via openclaw update breaks the Telegram bundled runtime because grammy becomes unresolvable. The Telegram extension files import it, the package metadata declares it as a dependency, but after update the global install can’t find it at runtime. The workaround is manually installing grammy@1.42.0 and friends inside the openclaw package directory, but openclaw update recreates the problem on every run. This is exactly the kind of packaging regression that 4.21’s doctor plugin repair partially addresses, though the underlying issue of bundled runtime deps getting lost during updates remains a systematic problem.

The API keys getting wiped is a different but related pattern. It typically happens when the onboarding wizard or config migration overwrites existing sections of openclaw.json. The 4.21 doctor fix for plugin dependencies doesn’t address this. The auth/commands security fix (#69774) also means some “breakage” may actually be the new, more restrictive behavior correctly rejecting previously permissive configurations that were unsafe all along.

The technical details

From here on, this gets technical. If you care about the idea more than the implementation, you can skip to the conclusion.

Kimi K2.6 architecture and benchmarks

Spec Value
Total parameters 1 trillion (MoE)
Active experts 384 total, 32B active per token
Context window 262K tokens (auto-compression)
Max swarm 300 sub-agents, 4,000 steps, 12h
SWE-Bench Pro 58.6%
Terminal-Bench 2.0 66.7%
Vercel Next.js benchmark +50% improvement

Auth vulnerability pattern

Two privilege escalation fixes in two months:

Fix Version Issue Impact
GHSA-r7vr-gr74-94p8 2026.3.12 Non-owner command-authorized senders reaching /config and /debug Unauthorized config/debug access
#69774 2026.4.21 Wildcard allowFrom or empty owner-candidate treated as sufficient for owner commands Unauthorized owner command execution

Both share the same root cause: permissive fallback in the authorization layer. The fix pattern (tighten specific edge cases) suggests a systematic audit of the entire permission model would be more effective than continued point fixes.

grammy/Telegram packaging regression

The root cause chain: openclaw update replaces the global install, bundled runtime deps (like grammy) get dropped from the resolved dependency tree, but the Telegram extension source still imports them. At runtime, the import fails. The 4.21 doctor repair path recovers some of these, but the fundamental problem (update replaces the install tree that bundled deps live in) persists.

The bottom line

Key points:

  • Kimi K2.6 is a genuine leap for agentic workflows and now the OpenClaw default, but the model switch is only half the story
  • Two auth privilege escalation fixes in two months reveal a systematic problem with permissive fallbacks in OpenClaw’s authorization layer
  • 4.20 broke Telegram runtimes, wiped API keys, and killed channels for some users; 4.21’s hotfix addresses some of this, but the packaging regression remains

OpenClaw keeps shipping real improvements and real breakage in the same release. The pattern is predictable enough that “back up your config and wait a day” remains the only reliable upgrade strategy.

Resources

reddit By u/lucienbaba Subreddit: r/myclaw
🔗 Original content