Zum Inhalt springen
← Back to English edition

OpenClaw v2026.3.11: Memory, ACP Session Restore & Security

openclaw

OpenClaw v2026.3.11: Multimodal memory, ACP session restore & security hardening for multi-agent workflows.

OpenClaw Release Memory Security ACP Agents

OpenClaw v2026.3.11 is out – and it’s an update worth it. The release brings three central improvements: expanded memory functionality with multimodal indexing, ACP session restore for multi-agent workflows and a range of important security hardening measures.

Especially interesting for agent teams: With the new ACP session restore, spawned ACP sessions can resume existing ACPX/Codex conversations instead of always starting from scratch. This makes multi-agent workflows significantly more powerful.

Memory: Multimodal Indexing with Gemini Embedding 2

OpenClaw Memory has always been based on markdown files in the workspace – that’s the source of truth, the model only “remembers” what is written to disk. With v2026.3.11 comes an important extension: opt-in multimodal indexing for images and audio files.

This works through configuration under memorySearch.extraPaths – where additional directories outside the standard workspace layout can be specified. When memorySearch.multimodal.enabled = true is set, OpenClaw indexes not only markdown files but also supported image and audio formats.

Important: Multimodal memory currently works only with Gemini Embedding 2 Preview (gemini-embedding-2-preview). The embedding model supports different output dimensions (768, 1536 or 3072) – the default is 3072. When switching between different dimensions, OpenClaw automatically reindexes the entire store because the vector size changes.

The practical impact: An agent can now search not only in markdown notes but also in saved screenshots, reference images or audio notes. Search queries remain text-based – Gemini compares text queries against indexed image/audio embeddings.

Supported formats:

  • Images: .jpg, .jpeg, .png, .webp, .gif, .heic, .heif
  • Audio: .mp3, .wav, .ogg, .opus, .m4a, .aac, .flac

Configuration example:

agents: {
  defaults: {
    memorySearch: {
      provider: "gemini",
      model: "gemini-embedding-2-preview",
      extraPaths: ["assets/reference", "voice-notes"],
      multimodal: {
        enabled: true,
        modalities: ["image", "audio"],
        maxFileBytes: 10000000
      }
    }
  }
}

A few limitations exist: Multimodal indexing applies only to files discovered via extraPaths. The standard memory roots (MEMORY.md, memory.md, memory/**/*.md) remain markdown-only. Also, memorySearch.fallback must be set to "none" while multimodal memory is enabled.

ACP Session Restore: Making Multi-Agent Workflows More Powerful

For teams working with multi-agent setups, v2026.3.11 is a real milestone. The new ACP session restore functionality allows spawned ACP sessions to resume existing ACPX/Codex conversations.

This works through the optional resumeSessionId parameter in sessions_spawn with runtime: "acp". Instead of always starting fresh, an ACP session can now load the conversation history of a previous session and continue where it left off.

In addition, the ACP UX has been significantly improved:

  • loadSession replays stored user and assistant text
  • Gateway-backed session controls and metadata are exposed
  • Approximate session usage updates are emitted so IDE clients can more faithfully restore context

Tool streaming has also been improved: tool_call and tool_call_update events are now enriched with best-effort text content and file location hints, allowing IDE clients to more naturally follow bridge tool activity.

Runtime attachments also have new features: Normalized inbound image attachments are now passed through ACP runtime turns, allowing ACPX sessions to preserve image prompt content on the runtime path.

Practical use case: An agent orchestrator can spawn a codex subagent to solve a complex task, and later spawn another subagent that builds on the same codex context – without starting over. This reduces context overhead and makes collaborative agent workflows significantly more efficient.

Security: Websocket-Origin Validation & Hardening

Security is a consistent theme in v2026.3.11. The most important security feature is the Gateway/WebSocket-Origin-Validation: OpenClaw now enforces browser-origin validation for all browser-originated connections – regardless of whether proxy headers are present. This closes a cross-site WebSocket hijacking path in trusted-proxy mode that would have granted untrusted origins operator.admin access.

This is a critical fix that is officially documented under GHSA-5wcw-8jjv-m286. The advisory describes in detail how the path could be exploited and why origin validation is now mandatory.

Beyond that, there is a whole range of security hardenings:

Secret files: Secret file reads are now hardened against path-swap races – OpenClaw requires regular files directly for *File secret inputs and rejects symlink-backed secret files.

Secrets/SecretRef: Exec SecretRef traversal ids are rejected via schema, runtime and gateway – this prevents unintended secret traversal.

Sandbox/fs Bridge: Staged writes are pinned to verified parent directories, so temporary write files cannot materialize outside allowed mounts before atomic replace occurs.

Gateway/Auth: When local gateway.auth.* SecretRefs are configured but unavailable, OpenClaw fails closed – there is no silent fallback to gateway.remote.* credentials in local mode.

Security/system.run: For approval-backed interpreter/runtime commands, OpenClaw fails closed when it cannot bind exactly one concrete local file operand.

Security/plugin Runtime: Unauthenticated plugin HTTP routes no longer inherit synthetic admin gateway scopes when they call runtime.subagent.* – admin-only methods like sessions.delete remain blocked without gateway auth.

Security/session_status: Sandbox session-tree visibility and shared agent-to-agent access guards are enforced before target session state is read or mutated – sandboxed subagents can no longer inspect parent session metadata or write parent model overrides via session_status.

Security/nodes: The nodes agent tool is treated as owner-only fallback policy – non-owner senders can no longer reach paired-node approval or invoke paths through the shared tool set.

Subagents/Authority: Leaf vs orchestrator control scope is persisted at spawn and tool and slash-command control is routed through shared ownership checks – leaf sessions cannot regain orchestration privileges after restore or flat-key lookups.

Breaking Changes: Cron Delivery & Storage

An important change affects cron jobs: The Cron/doctor delivery has been tightened. Isolated cron jobs can no longer be notified via ad hoc agent sends or fallback main-session summaries. There is an openclaw doctor --fix migration for legacy cron storage and legacy notify/webhook delivery metadata.

If you use cron jobs that depend on notifications through alternative paths, you must adjust your configuration. The migration with openclaw doctor --fix should automatically handle most legacy setups.

Additional Improvements

Beyond the three main points, there are a number of other improvements:

OpenRouter models: Temporary entries for Hunter Alpha and Healer Alpha have been added to the built-in catalog so OpenRouter users can test the new free stealth models during their approximately one week availability.

iOS/Home Canvas: A bundled welcome screen with live agent overview has been added – refreshed on connect, reconnect and foreground return. The compact connection pill has been moved from the top-left canvas overlay.

macOS/chat UI: A chat model picker has been added, explicit thinking-level selections are persisted across relaunch, and provider-aware session model sync for the shared chat composer has been hardened.

Onboarding/Ollama: First-class Ollama setup with Local or Cloud + Local modes, browser-based cloud sign-in, curated model suggestions and cloud-model handling that skips unnecessary local pulls.

OpenCode/onboarding: New OpenCode Go provider, Zen and Go are treated as a single OpenCode setup in the wizard/docs while runtime providers remain separate.

Agent fixes: A number of fixes for text sanitization (leaked model control tokens are stripped), billing recovery, failover, cooldowns and context pruning improve the stability and reliability of agent runs.

Update & Migration

If you are currently using OpenClaw, the update is generally straightforward. Most changes are additive or improve existing behavior. The only relevant breaking change affects cron delivery – here you should run openclaw doctor --fix after the update if you have legacy cron setups.

For memory support with multimodal indexing, you need a Gemini API key and should configure gemini-embedding-2-preview as the embedding model. Keep in mind that switching from gemini-embedding-001 (768 dimensions) to gemini-embedding-2-preview (3072 dimensions) triggers a re-index – for larger memory stores this can take some time.

For ACP session restore, no special configuration is needed – it’s an opt-in feature via the resumeSessionId parameter in sessions_spawn. The new UX improvements for ACP sessions are automatically available.

Conclusion

OpenClaw v2026.3.11 is a solid release that is particularly relevant for agent teams and users with complex memory setups. Multimodal indexing significantly expands the memory concept, ACP session restore makes multi-agent workflows more powerful, and the consistent security hardenings give a good feeling, especially for production setups.

If you work with OpenClaw, this update is recommended – especially if you use multi-agent setups or your agent has extensive memory that can now also include images and audio.