OpenClaw updates the “Dreamscape” memory system: AI agents can replay notes and patch five major security vulnerabilities

OpenClaw, an open-source AI agent platform with over 2 million users, released its latest version on April 9, 2026. Its core highlight is a brand-new “Dreaming” memory system that enables AI agents to replay users’ historical notes and form long-term memory. This update also includes multiple security patches, including fixes for SSRF bypasses and environment variable pollution, only a few weeks after this year’s major cybersecurity incident in March.
(Background context: The full text of Jensen Huang’s GTC2026 keynote speech: AI demand is in the trillions of dollars; OpenClaw makes every company into AaaS)
(Additional background: Jensen Huang is optimistic about AI agents: driving trillions of dollars in business opportunities—how will human work be replaced?)

Table of Contents

Toggle

• Dreaming system: Help AI agents “remember” what you’ve written
• Five major security patches: Follow-up work from last time’s incident
• Other adjustments worth paying attention to

Little crayfish openClaw receives an update. What’s most compelling on 2026.4.9 isn’t how long the feature list is, but a conceptual leap: AI agents start to have the ability to “sleep.”

Dreaming system: Help AI agents “remember” what you’ve written

The new version introduces a REM backfill lane that can batch-fill users’ past daily notes into the Dreams memory system, then progressively consolidate them into long-term memory through staged promotion signals. Paired with a brand-new structured journal UI, users can browse historical records via a timeline and trigger backfill or resets themselves.

In plain terms: work notes and decision context you wrote in OpenClaw a few months ago can now be “digested” by the AI agent and proactively called in future conversations. For long-term heavy users, this means the agent is no longer a forgetful assistant that starts from zero every time you talk.

Five major security patches: Follow-up work from last time’s incident

In March, Kaspersky reported that OpenClaw had more than 21,000 exposed instances being scanned, and malicious skills plug-ins were also found to be running wild. This pressure has been met with concrete responses in this update.

The five security areas patched in this version are:

Navigation triggered by browser interaction will now re-verify blocked targets, patching the vulnerability that could previously bypass SSRF isolation; control variables in the .env file of untrusted workspaces are blocked outright to prevent environment contamination; execution event summaries returned by remote nodes (exec.started / exec.finished / exec.denied) are uniformly marked as untrusted sources, cutting off the injection path for prompt injection; untrusted plug-ins can no longer collide with the built-in provider’s auth ID, closing the attack surface for authentication confusion; finally, the base package basic-ftp is forced to upgrade to 5.2.1 to mitigate the CRLF command injection risk.

These five patches are not an entirely new architectural redesign; instead, they are precise backports targeting known weaknesses. This shows that after the cybersecurity incident, the development team adopted a point-by-point hardening strategy.

Other adjustments worth paying attention to

On the feature side, the character-vibes QA tool for assessing role atmosphere quality adds model selection and parallel execution support, making it easier for developers to compare differences in the performance of multiple models at the same time. Plugin provider auth aliases let different plug-ins share the same set of verification settings, easing the management burden in multi-plug-in scenarios.

On Android, it fixes issues with expired pairing code remnants and failures to retry after background pauses; on iOS, it switches to the CalVer version naming convention to align with the desktop version. Integrations and connections for Slack, Matrix, Telegram, and Discord are also included within this scope of fixes.

OpenClaw was founded by developer Peter Steinberger in late 2025, and its GitHub stars have already exceeded 250k. At this year’s GTC, Jensen Huang singled out the platform, saying it “turns every SaaS into AaaS.” The rollout of the Dreaming memory system may well be a key step in that direction—helping the agent truly understand “who this user is,” not just “what this conversation is about.”