ClawHosters ClawHosters
Subs -30% SUB30
OpenClaw v2026.3.12: Dashboard v2, Fast Mode, and 17 Security Fixes
$ ./blog/news
News

OpenClaw v2026.3.12: Dashboard v2, Fast Mode, and 17 Security Fixes

ClawHosters
ClawHosters by Daniel Samer
3 min read

OpenClaw v2026.3.12 landed on March 12, 2026 with 39 contributors behind it. This one is heavy. A full dashboard redesign, a new speed toggle, a reworked plugin system, and 17+ GitHub Security Advisories patched in a single release.

Dashboard v2

The dashboard got rebuilt from scratch. Gone is the single-pane layout. In its place: modular views for overview, chat, config, agent, and session management. There's a command palette now (think Spotlight for your OpenClaw instance), mobile bottom tabs that actually work, and better chat tooling with slash commands, message search, export, and pinned messages.

It's probably the most visible change in any OpenClaw release this year.

Fast Mode

You can now toggle between speed and quality on a per-session basis. Works with both OpenAI/GPT-5.4 and Anthropic/Claude. Hit /fast in chat, flip it in the TUI, or set it from the Control UI and ACP.

I think this is one of those features that sounds minor until you use it. Quick questions don't need the same processing depth as a code review. Fast Mode lets you pick.

Ephemeral Device Tokens

This is a security fix that matters more than it sounds. Previously, /pair and QR code flows embedded shared gateway credentials into bootstrap tokens. That meant those credentials sat on devices longer than they should have.

OpenClaw v2026.3.12 switches to short-lived ephemeral tokens instead (tracked as GHSA-99qw-6mr3-36qr). Once a device pairs, the bootstrap token expires. No more persistent credential exposure during pairing. If you're running self-hosted, this one alone is worth the upgrade.

We've written about OpenClaw's security posture before in our security hardening guide and our Safety Scanner coverage from v2026.2.6.

Plugin Architecture Overhaul

Ollama, vLLM, and SGLang are no longer baked into the core. They've moved to a modular provider-plugin system. And workspace plugins now require an explicit trust decision before loading. No more auto-loading plugins from cloned repos. That's a quiet but important safety change.

Everything Else

WebSocket pre-auth got hardened (rejects oversized frames, shorter unauthenticated handshake retention). Unicode obfuscation in approval prompts and exec detection is blocked. The command execution allowlist got tighter. Exec approval now fails closed for ambiguous inline loaders and shell-payload scripts. Kubernetes starter manifests are included. Subagent sessions gained a sessions_yield feature and a 90-second completion timeout. Slack Block Kit support shipped. Kimi Coding and Telegram model picker bugs got squashed.

The ClawHosters Angle

All 17+ security patches, the plugin trust changes, and the ephemeral token migration already hit your managed instance. No config changes needed. Self-hosters have a different story: manual patching, plugin trust audits, and device re-pairing. Check our pricing plans if that sounds like work you'd rather skip.

Frequently Asked Questions

If you self-host, yes. Existing pairing tokens from the old system won't work with ephemeral tokens. ClawHosters instances handled re-pairing automatically during the managed update.

Ollama still works, but it's a plugin now instead of a built-in integration. Self-hosters need to explicitly trust the Ollama provider plugin after upgrading. ClawHosters instances have this pre-configured.

Fast Mode is an OpenClaw feature, not a ClawHosters restriction. It works on every plan as long as your configured LLM provider supports it. Check our docs for setup details.
*Last updated: March 2026*

Sources

  1. 1 GHSA-99qw-6mr3-36qr
  2. 2 security hardening guide
  3. 3 Safety Scanner coverage from v2026.2.6
  4. 4 pricing plans
  5. 5 docs
$ ./related --posts