OpenClaw 4.20 and 4.21: Kimi K2.6, Image 2 and the usual bug dance that breaks setups
OpenClaw dropped 4.20 and, a mere six hours later, 4.21. Textbook release cadence for @steipete’s project: push, discover the damage, patch. Let’s break it down.
What’s new in 4.20
4.20 is a substantial release, mostly cleanup and consolidation, with a few notable features:
- Kimi K2.6 as default - Moonshot/Kimi now defaults to
kimi-k2.6, withkimi-k2.5still available for compatibility. Also supportsthinking.keep = "all"on K2.6, stripped for other Moonshot models whentool_choiceis pinned. - Tiered model pricing - Support for tiered pricing from cached catalogs, with bundled Kimi K2.6/K2.5 cost estimates in token-usage reports.
- BlueBubbles: per-group system prompts - Group behavioral instructions (tapback, threaded-reply conventions) are now injected every turn via
GroupSystemPrompt. Supports*wildcard fallback. Closes #60665. - Hardened GPT-5 prompt - System overlay for GPT-5/Codex now has stronger completion bias, weak-result recovery, and verify-before-final guidance.
- Cron: separate runtime state -
jobs-state.jsonsplits fromjobs.json, so git-tracked job definitions stay stable while execution state mutates. - Aggressive session maintenance - Entry cap and age prune are enforced by default, and oversized stores are pruned at load time to prevent gateway OOM.
- Compaction notices - Opt-in start and completion notices during context compaction.
- Mattermost: draft streaming - Thinking, tool activity, and partial replies stream into a single draft post that finalizes in-place.
- Improved onboarding - Single warning banner, headings, checklists, spinner during model catalog load, “API key” placeholder in prompts.
Plus: sanitizeForLog() optimization (single regex vs iterative loop), plugin loader reuse for leaner tests, Docker E2E for channel dependencies, and QA suite that fails by default on failed scenarios.
What 4.21 fixes (and why it landed 6 hours later)
4.21 is small but surgical:
- OpenAI Image 2 as default - Bundled image-generation provider and smoke tests switch to
gpt-image-2, with 2K/4K size hints in metadata. - Doctor repairs plugins -
openclaw doctornow recovers missing channel/provider dependencies from doctor paths without reinstalling everything. - Image failure logging - Failed image providers are logged at
warnlevel before automatic fallback. - Tighter auth commands - Owner-only commands now require actual owner identity, no longer accepting wildcard
allowFromor empty owner-candidate lists. Security fix #69774. - Slack: preserved thread aliases - Generic runtime sends stay in the correct Slack thread.
- Browser: immediate reject - Invalid accessibility refs in
actare rejected immediately instead of waiting for timeout. - npm: node-domexception fix - Alias mirrored into root
package.jsonoverrides to block the deprecated google-auth-library → gaxios → node-fetch → fetch-blob → node-domexception chain.
From the official changelog, not mentioned in the Reddit post: 4.20 also includes a fix for “Exec/YOLO: stop rejecting gateway-host exec” (changelog text truncated on GitHub). More importantly, 4.21 closes a significant security issue: before this fix, anyone on a channel with wildcard allowFrom or no configured owner-candidate could execute owner-only commands when enforceOwnerForCommands=true. A silent privilege escalation that warranted the rapid hotfix.
The dark side: broken setups and a community that “copes”
As usual with OpenClaw releases, the r/myclaw comments tell two parallel stories.
u/Acceptable-Tie278 had no luck: “2026.4.20 broke my whole setup! Deleted my model api keys removed discord and my iMessage just frucked it 🤦♂️”
API keys wiped, Discord removed, iMessage dead. Three hits in a single update. OP u/lucienbaba responds philosophically: “Not even surprised at this point. I just cope by telling myself this is the cost of innovation ;)”
u/ScroogeCa plays it safe: “Thank you for beta testing, think I’ll wait for 4.21”. But u/thesongofthunder corrects: “You mean you’ll wait for 4.22 since 4.20 and 4.21 dropped almost instantly”. Fair point, given 4.21 is literally the hotfix for 4.20’s damage.
u/CM0RDuck cuts to the chase: “Do you people not back up anything?”
Meanwhile u/joaquindlz (in Spanish) reports the opposite experience: “I asked OC to update me to 4.20 and it did it perfectly without breaking anything. I feel this version is much more polished than 4.15.” - confirming the damage isn’t uniform and depends heavily on specific configurations.
u/Solotonium offers a workaround for Telegram issues dating back to 4.9: ask OpenClaw’s TUI to check the source code for the Telegram schema and suggest changes to your old openclaw.json.
u/fernfahrer adds another bug: “Sending files with Telegram broke for my setup with this update…”
The pattern is well-known: OpenClaw major releases bring interesting features but routinely break existing configurations, especially on Telegram and messaging channels. The community splits between those who “cope” and those who wait for the next version (which, as we’ve seen, arrives within hours).
Additional context: The API keys getting wiped during updates is a recurring issue in OpenClaw’s history. It typically happens when the onboarding wizard or config migration overwrites existing sections. The 4.21 doctor fix for repairing plugin dependencies is a partial response, but doesn’t address the vanishing keys issue, which requires a preemptive config file backup (as u/CM0RDuck suggests). The auth/commands security fix (#69774) also suggests that some of the “damage” may actually be the new, more restrictive behavior invalidating previously permissive configurations.
Verdict
4.20 brings solid features (Kimi K2.6, BlueBubbles group prompts, cron state split, session pruning). 4.21 is a targeted hotfix that makes Image 2 the default and closes an auth vulnerability. But the cost is the usual: broken setups, vanishing API keys, channels that stop working. If you’re upgrading, back up your openclaw.json first. And if you haven’t learned yet, wait for 4.22.