AxonFlow v9.1.1 Release Notes
v9.1.1 is a security-only maintenance patch. It carries no new features, no API changes, and no database schema changes. It refreshes the agent and orchestrator container base images to clear an upstream OpenSSL advisory, applies defense-in-depth hardening across the platform's Go services, encrypts the alert notification topics on Enterprise deployments, and ships a Java SDK and an OpenClaw plugin patch that address their respective security items. It is a drop-in upgrade from v9.1.0.
Container images: upstream OpenSSL fix
The agent and orchestrator images now upgrade libssl3 / libcrypto3 in the runtime layer so it ships OpenSSL 3.5.7-r0 or later (was 3.5.6-r0), clearing the upstream advisory CVE-2026-45447. This is a base-image package bump only: the AxonFlow binaries are unchanged. Self-hosted operators pick up the fix simply by pulling the v9.1.1 images.
Defense-in-depth hardening
A security sweep across the codebase produced a set of hardening changes. None of them change a documented API contract or runtime behavior; they close latent risks before they can matter:
- Reflected-content hardening on the HTTP response paths. The community-SaaS recovery confirmation page now renders through Go's
html/templatecontextual auto-escaping instead of a hand-rolled escaper, and the platform's transparent response-writer wrappers (idempotency replay, transparency headers, telemetry status capture, and the customer-portal request log) now setX-Content-Type-Options: nosniff, so a request-derived value reflected into a JSON response cannot be MIME-sniffed and interpreted as active content by a browser. - Session identifiers masked in logs. The MCP server handler now logs only a short prefix of session-id handles, never the full value. No secret material was ever written to the logs; this further trims what the operational log stream retains.
- Path-handling guard on a test harness. A test-only webhook receiver used in the cross-system end-to-end suite now restricts the dump filenames it writes to a flat token, so a crafted identifier cannot traverse outside its dump directory.
Infrastructure hardening (Enterprise)
The alert notification topics on Enterprise CloudFormation stacks (the alarm, first-payment, and synthetic-monitoring SNS topics) are now encrypted at rest with a customer-managed KMS key, with a key policy scoped to exactly the CloudWatch alarm service and canary Lambda that publish to them. A new continuous secret-scanning check also runs on every change, complementing the existing pre-commit and push-protection guards.
These are template-level and pipeline-level changes. Existing deployments are not modified until you redeploy from the updated templates.
SDK and plugin security patches
- Java SDK 8.5.1. The Java SDK has always offered an opt-in, development-only mode that skips TLS verification, double-gated behind an explicit configuration flag and an environment variable with a loud startup warning. v8.5.1 adds a hard production guard: when a production-like deployment environment is detected, the SDK keeps full TLS certificate verification in place even if both opt-in gates are set, so the insecure mode can no longer be turned on in production. This is the only SDK with a code change in this release; the Python, TypeScript, Go, and Rust SDKs are unchanged (their security items were build-time dependency updates that do not change the published artifact).
- OpenClaw plugin 2.6.6. Clears a runtime
protobufjsadvisory and is republished to ClawHub and npm.
SDK and plugin versions
The recommended versions move only where a code change shipped:
| Component | v9.1.0 | v9.1.1 |
|---|---|---|
Java SDK (com.getaxonflow:axonflow-sdk) | 8.5.0 | 8.5.1 |
| OpenClaw plugin | 2.6.5 | 2.6.6 |
| Python / TypeScript / Go SDK | 8.5.0 | 8.5.0 (unchanged) |
| Rust SDK (preview) | 0.7.0 | 0.7.0 (unchanged) |
| Claude Code / Cursor / Codex plugins | 1.6.0 / 1.5.3 / 1.5.2 | unchanged |
The minimum supported SDK floor (8.0.0) and plugin floors (1.4.0 / 2.4.0) are unchanged. SDK and platform versions are independent and each follow their own semver.
Upgrading
v9.1.1 is a drop-in upgrade from v9.1.0. There are no schema changes and no configuration changes.
# Community
docker compose pull && docker compose up -d
# Enterprise
docker compose -f docker-compose.yml -f docker-compose.enterprise.yml pull
docker compose -f docker-compose.yml -f docker-compose.enterprise.yml up -d
In-VPC Enterprise (AWS CFN)
Redeploy with the v9.1.1 images to pick up the refreshed container base layer. To also adopt the SNS topic encryption, redeploy from the updated CloudFormation templates.
Community-SaaS users
No action required.
Java SDK and OpenClaw users
Update the Java SDK to 8.5.1 and the OpenClaw plugin to 2.6.6 to pick up their security fixes. The Java production guard only affects deployments that had explicitly enabled the development-only insecure-TLS mode, which was never intended for production.
Related resources
- v9.1.0 Release Notes, the audit-coverage CI gate and built-in policy inventory release this patch builds on.
- Version Compatibility, how SDK and platform versions track each other.
- Java SDK Getting Started, the updated 8.5.1 install reference.
