Why does OpenClaw Codex show DNS lookup failed after upgrading to v2026.4.14?

The error is misleading. The actual problem is Cloudflare returning a 403 bot-challenge page because the pi-ai provider sends an originator header that triggers bot detection. The gateway misclassifies this as a DNS failure.

How to fix OpenClaw Cloudflare 403 error with GPT-5.4?

The root cause is in the buildBaseCodexHeaders function setting originator: pi. Downgrade to v2026.4.12 as a workaround, or wait for a patch that removes or changes the triggering headers.

Does re-authenticating OpenClaw fix the Cloudflare 403 error?

No. Re-authenticating after the upgrade does not resolve the issue because the problem is in the HTTP headers sent by the provider code, not the OAuth token itself.

Which OpenClaw versions are affected by the Codex Cloudflare 403 bug?

The issue recurs across versions. Issue #62087 (v2026.4.5), #62142 (v2026.4.5), and #66633 (v2026.4.14) all report the same Cloudflare 403 blocking pattern.

Is the OpenClaw Codex 403 error a Cloudflare or OpenAI problem?

It is a Cloudflare bot-mitigation issue triggered by specific headers in OpenClaw provider code. Cloudflare detects the originator: pi header and serves a challenge page instead of proxying to OpenAI.

← Back to dashboard

clawsmith.com/signal/openclaw-codex-cloudflare-403-v2026-4-14-upgrade

⚠ IssueWide OpenToolLive

OpenClaw Codex Provider Blocked by Cloudflare 403 After v2026.4.14 Upgrade: Every GPT-5.4 Turn Fails

Upgrading from 2026.4.12 to 2026.4.14 causes every openai-codex/gpt-5.4 request to return a Cloudflare challenge page (HTTP 403). Root cause: originator header in pi-ai provider triggers Cloudflare bot detection. Gateway misreports the error as DNS lookup failure.

Product Idea from this Signal

A CLI tool that validates an OpenClaw upgrade against your specific provider, channel, and service configuration before applying it

115 ▲

Every OpenClaw point release ships regressions that silently break production setups. v2026.4.14 alone introduced Cloudflare 403 blocks on Codex providers, chat-triggered tool dispatch failures in Telegram and Slack, installer crashes, and cron job deletion during updates. The pattern repeats across every version. This CLI reads your running OpenClaw config (active providers, channel bindings, cron jobs, installed skills), downloads the target release, and runs a provider header check, channel dispatch smoke test, service lifecycle simulation, and cron persistence validation against the new version. It outputs a pass/fail per component with specific issue references so you know exactly what will break before you upgrade.

CLIDEVTOOLTESTINGRELIABILITYOPEN-SOURCE

UnderservedView Opportunity →