Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix [Bug]: exec host=node regression in 2026.4.2 — agent exec always routes to gateway [1 pull requests, 5 comments, 4 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#60772Fetched 2026-04-08 02:47:22
View on GitHub
Comments
5
Participants
4
Timeline
14
Reactions
0
Author
MeikelBacksMeikelBacks
Participants
martingarramonmartingarramonMeikelBacksMeikelBacksobviyusobviyusopenperfopenperf
Timeline (top)
commented ×5cross-referenced ×3closed ×2subscribed ×2

exec host=node stopped routing to the paired Windows node after upgrading from 2026.3.31 to 2026.4.2. Commands execute on the gateway instead of the remote node. This worked correctly on 2026.3.31.

This appears to be the same issue as #20669 (closed as stale), now confirmed as a regression between 2026.3.31 → 2026.4.2.

Root Cause

exec host=node stopped routing to the paired Windows node after upgrading from 2026.3.31 to 2026.4.2. Commands execute on the gateway instead of the remote node. This worked correctly on 2026.3.31.

This appears to be the same issue as #20669 (closed as stale), now confirmed as a regression between 2026.3.31 → 2026.4.2.

Fix Action

Fixed

PR fix notes

PR #60788: fix(agents): restore exec host=node routing and per-call override from auto

Description (problem / solution / changelog)

Summary

  • Problem: Since 2026.4.2, exec host=node no longer routes commands to paired nodes — every command executes on the gateway instead. All four configuration paths are broken: global tools.exec.host: "node" silently runs on gateway; tools.exec.host: "auto" with per-call host=node throws "exec host not allowed"; subagent host=node also throws; and disabling elevated does not help. This leaves zero remaining paths to execute commands on paired nodes from agents (#60772, same root cause as stale #20669).

  • Root Cause: Two regressions in resolveExecTarget() and isRequestedExecTargetAllowed() in src/agents/bash-tools.exec-runtime.ts:

    1. Elevated override (line 238–245): elevatedRequested unconditionally returns effectiveHost: "gateway", ignoring configuredTarget: "node". When a channel has elevated defaults enabled (defaultLevel: "on"), the elevated mode resolves to "ask"elevatedRequested = true → gateway forced, even though the user explicitly configured host=node.
    2. Strict equality gate (line 224–228): isRequestedExecTargetAllowed uses requestedTarget === configuredTarget. When configuredTarget is "auto", any per-call override to a concrete host (node, gateway, sandbox) is rejected. The comment says "auto is a routing strategy, not a wildcard allowlist", but this contradicts the documented behavior where auto should allow runtime host selection.

  • Fix:

    1. Elevated: When configuredTarget === "node", preserve effectiveHost: "node" instead of forcing gateway. The node's own approval/security layer handles elevated semantics on the remote host. All other configured targets (auto, sandbox, gateway) still redirect elevated to gateway as before.
    2. Auto override: Allow isRequestedExecTargetAllowed to return true when configuredTarget === "auto", enabling per-call overrides to any concrete host. Non-auto concrete targets still require exact match to prevent silent host-hopping.

  • What changed:

    • src/agents/bash-tools.exec-runtime.ts: Fixed isRequestedExecTargetAllowed to allow per-call overrides under auto; fixed resolveExecTarget elevated path to honour node binding.
    • src/agents/bash-tools.exec-runtime.test.ts: Updated 2 existing tests and added 5 new tests covering auto→node override, auto→gateway override, auto→sandbox override, cross-host rejection for concrete targets, elevated+node routing, and elevated+node without per-call override.

  • What did NOT change (scope boundary): Node transport layer (bash-tools.exec-host-node.ts), approval policy resolution (exec-approvals.ts), sandbox isolation checks in bash-tools.exec.ts, and the elevated gate logic in createExecTool.execute are all untouched. The fix is strictly limited to target selection in resolveExecTarget.

Reproduction

  1. Pair a Windows node (connected, system.run capability advertised).
  2. Set tools.exec.host: "node" and tools.exec.node: "<node-id>" in config.
  3. Run exec hostname from an agent session.
  4. Before fix: Returns gateway hostname (Linux). After fix: Returns node hostname (Windows).
  5. Alternatively, set tools.exec.host: "auto" and run exec host=node: hostname.
  6. Before fix: Throws "exec host not allowed". After fix: Routes to node correctly.

Risk / Mitigation

  • Risk: Allowing per-call overrides under auto could let a sandboxed session escape to gateway/node.
  • Mitigation: Sandbox isolation is enforced independently in bash-tools.exec.ts (line 1338: target.selectedTarget === "sandbox" && !sandbox check) and by the approval layer (line 1322: host === "sandbox" ? "deny" : "full"). The new tests explicitly verify that cross-host overrides between concrete targets (e.g. nodegateway) are still rejected. The elevated fix only applies to configuredTarget === "node", which is an explicit admin choice — no implicit escalation path is opened.

Change Type (select all)

  • Bug fix

Scope (select all touched areas)

  • Gateway
  • Agent Tools
  • Exec Runtime

Linked Issue/PR

Fixes #60772

Changed files

  • CHANGELOG.md (modified, +1/-0)
  • src/agents/bash-tools.exec-runtime.test.ts (modified, +103/-5)
  • src/agents/bash-tools.exec-runtime.ts (modified, +33/-6)

Code Example

exec: whoami
→ loki\meike   (Windows node)

exec: schtasks /query /tn "OpenClaw Node"
Task info returned ✅

---

exec host=node: hostname
KollegePlus   (gateway hostname, not Windows node)

exec host=node: echo $env:COMPUTERNAME
→ $env:COMPUTERNAME   (bash on Linux, not PowerShell on Windows)
RAW_BUFFERClick to expand / collapse

[Bug]: exec host=node regression in 2026.4.2 — agent exec always routes to gateway

Summary

exec host=node stopped routing to the paired Windows node after upgrading from 2026.3.31 to 2026.4.2. Commands execute on the gateway instead of the remote node. This worked correctly on 2026.3.31.

This appears to be the same issue as #20669 (closed as stale), now confirmed as a regression between 2026.3.31 → 2026.4.2.

Steps to reproduce

  1. Pair a Windows 11 node (connected, system.run capability advertised)
  2. Set tools.exec.host: "node" and tools.exec.node: "<node-id>" in config
  3. Run exec hostname from an agent session (KollegePlus channel)
  4. Observe: command runs on gateway (Linux), not on the Windows node

Working on 2026.3.31 (April 1)

exec: whoami
→ loki\meike  ✅ (Windows node)

exec: schtasks /query /tn "OpenClaw Node"
→ Task info returned ✅

Broken on 2026.4.2 (April 3+)

exec host=node: hostname
→ KollegePlus  ❌ (gateway hostname, not Windows node)

exec host=node: echo $env:COMPUTERNAME
→ $env:COMPUTERNAME  ❌ (bash on Linux, not PowerShell on Windows)

Environment

  • Gateway: Ubuntu 24.04 LTS, OpenClaw 2026.4.2, running as root
  • Node: Windows 11 Pro, OpenClaw 2026.4.2, node-host mode
  • Channel: Custom plugin (KollegePlus), E2EE
  • Node status: paired, connected, system.run + system.which + browser.proxy in allowCommands
  • nodes invoke system.which: Works correctly — node responds to invoke commands
  • nodes invoke system.run: Blocked with "reserved for shell execution; use exec with host=node"

Configs tried (all failed)

ConfigResult
tools.exec.host: "node" (global)Runs on gateway
tools.exec.host: "auto" + host=node per-call"exec host not allowed"
tools.exec.host: "node" + tools.elevated.enabled: falseRuns on gateway
Subagent with host=node"exec host not allowed"

Likely cause

Release notes for 2026.4.2 include several exec routing changes:

  • "Exec defaults: make gateway/node host exec default to YOLO mode"
  • "Gateway/exec loopback: restore legacy-role fallback for empty paired-device token maps"
  • "Exec/node hosts: stop forwarding the gateway workspace cwd to remote node exec"

The elevated channel config (tools.elevated.enabled: true) forces host=gateway per the docs. But even with elevated disabled, exec still routes to gateway instead of the node.

Impact

  • Blocks all remote node shell execution from agents
  • nodes invoke system.run is blocked ("use exec host=node")
  • openclaw nodes run CLI was removed in 2026.3.31
  • No remaining path to execute commands on paired nodes from agents

Related

  • #20669 (same bug, closed as stale on 2026-03-26)

OpenClaw version

2026.4.2

Operating system

Ubuntu 24.04 LTS (gateway), Windows 11 Pro (node)

Install method

npm (pnpm)

extent analysis

TL;DR

Downgrade to version 2026.3.31 or wait for a patch, as the exec host=node regression in 2026.4.2 causes commands to execute on the gateway instead of the remote node.

Guidance

  • Review the release notes for 2026.4.2 to understand the changes made to exec routing, which may have introduced the regression.
  • Verify that the node is properly paired and connected, and that the system.run capability is advertised.
  • Test using the nodes invoke system.run command to see if it works, although it is currently blocked with a message indicating to use exec host=node.
  • Check the documentation for any updates or workarounds related to the tools.exec.host and tools.elevated.enabled configurations.

Example

No code snippet is provided as the issue is related to configuration and versioning.

Notes

The issue is confirmed as a regression between versions 2026.3.31 and 2026.4.2, and there is no clear workaround provided in the issue description. The tools.elevated.enabled configuration does not seem to affect the issue.

Recommendation

Downgrade to version 2026.3.31, as it is the last known working version for the exec host=node functionality. This is the safest option until a patch is released to fix the regression in 2026.4.2.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#ssr#installation#tensor shape#request timeout

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

openclaw - ✅(Solved) Fix [Bug]: exec host=node regression in 2026.4.2 — agent exec always routes to gateway [1 pull requests, 5 comments, 4 participants]