Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix exec tool broken in 2026.3.31 and 2026.4.1 — ensureExplicitGatewayAuth rejects all connections [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#59584Fetched 2026-04-08 02:42:55
View on GitHub
Comments
0
Participants
1
Timeline
1
Reactions
0
Author
tabotthebottabotthebot
Participants
tabotthebottabotthebot
Timeline (top)
cross-referenced ×1

After upgrading from 2026.3.24 to 2026.3.31 (and later 2026.4.1), the exec tool completely stopped working. All exec calls fail silently or with credential/auth errors. Internal tools (read, write, gateway, message, cron) continue to work normally.

Root Cause

Root Cause (Diagnosed)

The function ensureExplicitGatewayAuth in the compiled bundle (call-h8FrADrE.js:229) rejects all external connections to the gateway — including exec approval routing — even when an explicit --token is provided and gateway.auth.mode = "token" is correctly configured.

Fix Action

Resolution

Rolled back to 2026.3.24. exec works immediately after downgrade with no config changes.

Code Example

"gateway": {
  "port": 18789,
  "mode": "local",
  "bind": "lan",
  "auth": {
    "mode": "token",
    "token": "<redacted>"
  }
}
RAW_BUFFERClick to expand / collapse

Bug Report

Versions Affected

  • 2026.3.31 ❌
  • 2026.4.1 ❌
  • 2026.3.24 ✅ (working, rolled back to this)

Description

After upgrading from 2026.3.24 to 2026.3.31 (and later 2026.4.1), the exec tool completely stopped working. All exec calls fail silently or with credential/auth errors. Internal tools (read, write, gateway, message, cron) continue to work normally.

Root Cause (Diagnosed)

The function ensureExplicitGatewayAuth in the compiled bundle (call-h8FrADrE.js:229) rejects all external connections to the gateway — including exec approval routing — even when an explicit --token is provided and gateway.auth.mode = "token" is correctly configured.

Config (confirmed clean)

"gateway": {
  "port": 18789,
  "mode": "local",
  "bind": "lan",
  "auth": {
    "mode": "token",
    "token": "<redacted>"
  }
}

Steps to Reproduce

  1. Run OC 2026.3.24 — exec works fine
  2. Upgrade to 2026.3.31 or 2026.4.1 (npm i -g [email protected] && openclaw gateway install --force)
  3. Try any exec tool call
  4. Fails — gateway auth rejected

Attempted Workarounds (all failed)

  • Removed gateway.remote section from config
  • Changed gateway.bind from lan to loopback
  • Passed explicit --token flag via CLI
  • Ran openclaw doctor --fix
  • Ran openclaw gateway install --force
  • Full stop + start (not just SIGUSR1)

Impact

  • exec tool completely non-functional
  • Cron jobs that use exec fail (cortex backup, data QA, etc.)
  • Agent cannot run any shell commands

Resolution

Rolled back to 2026.3.24. exec works immediately after downgrade with no config changes.

Related

This was introduced as a regression in 2026.3.31. The changelog for 2026.4.1 mentions exec/approval fixes but the issue persists in that version as well.

extent analysis

TL;DR

The most likely fix is to revert the changes made in the ensureExplicitGatewayAuth function in the compiled bundle, specifically in the call-h8FrADrE.js file, to allow external connections to the gateway when gateway.auth.mode is set to "token".

Guidance

  • Review the ensureExplicitGatewayAuth function in call-h8FrADrE.js to understand why it's rejecting external connections, even with a valid token.
  • Verify that the gateway.auth.mode is correctly set to "token" in the configuration file and that the token is valid.
  • Consider temporarily downgrading to version 2026.3.24, as it has been confirmed to work, while waiting for a fix for the regression introduced in 2026.3.31.
  • Check the changelog for 2026.4.1 to see if there are any specific instructions or workarounds for the exec/approval fixes mentioned.

Example

No code snippet is provided as the issue is related to a specific function in a compiled bundle, and modifying it directly may not be feasible or recommended.

Notes

The issue seems to be a regression introduced in version 2026.3.31, and the fix may require a code change or a configuration update. The provided configuration file seems to be correctly set up for token-based authentication.

Recommendation

Apply workaround: Downgrade to version 2026.3.24, as it is the last known working version, until a fix is available for the regression introduced in 2026.3.31. This is because the downgrade has been confirmed to resolve the issue, and there is no clear indication of when a fix will be available for the newer versions.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#environment variable#network issue#logging issue#authentication issue#prompt issue

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING