open-webui releases

Added

• 🛡️ Redirect-based SSRF protection. All outbound HTTP requests now block 3xx redirects by default via a new AIOHTTP_CLIENT_ALLOW_REDIRECTS environment variable, preventing redirect-based SSRF where a public URL silently redirects to internal addresses (RFC 1918, loopback, cloud-metadata endpoints). Affected call sites include web fetch, image loading, OAuth discovery, tool server execution, and code interpreter login. #24491
• 🛡️ Iframe content security policy. Administrators can now configure a Content-Security-Policy for all srcdoc iframes (Artifacts, tool embeds, file previews, citation modals) via the IFRAME_CSP environment variable, restricting what LLM-generated or user-uploaded HTML can load and execute inside previews. Commit
• 🎛️ Granular markdown rendering controls. Users can now independently disable Markdown rendering for user messages and assistant responses from Interface settings, preventing unintended formatting when pasting text that contains Markdown-sensitive characters. Commit
• 🔧 Terminal proxy response headers. Administrators can now inject custom response headers into terminal proxy responses via the TERMINAL_PROXY_HEADERS environment variable (JSON object), enabling deployment-specific security headers like sandbox policies for proxied content. Commit
• 🔌 Channel streaming and tool support. Mentioning a model in a Channel now streams responses in real time and supports the full chat completion pipeline, including native and default function calling, built-in tools (web search, image generation), user tools, MCP tools, filters, and RAG knowledge injection — the same capabilities available in standard chats.

Fixed

• 📝 Notes create and open reliability. Creating new notes and opening existing notes no longer fails with a TypeError caused by is_pinned being passed to the SQLAlchemy model on create, and passed twice to NoteResponse on read. #24484, #24486
• 🔐 Skill public sharing permission enforcement. Creating or updating skills now filters access grants through the sharing.public_skills permission, preventing non-admin users from making skills publicly accessible without the required permission. #24494
• 🔐 Calendar public sharing permission enforcement. Creating or updating calendars now filters access grants through a new sharing.public_calendars permission, preventing users from making calendars publicly readable or writable without explicit admin-granted sharing permission. #24493
• 🔐 Feedback user attribution spoofing. Submitting evaluation feedback can no longer forge the user_id field through mass-assignment, preventing authenticated users from attributing ratings to other users and corrupting Elo leaderboard rankings and admin feedback exports. #24508
• 🛡️ Image URL redirect-based SSRF. Chat messages containing image URLs no longer follow 3xx redirects to internal addresses during base64 conversion, closing the most reachable redirect-based SSRF variant that required no special permissions or feature flags. #24524
• 🛡️ Collection write access on file processing. The process_file and process_files_batch retrieval endpoints now enforce collection write-access checks before embedding content, preventing authenticated users from injecting file content into another user's knowledge-base collection. #24524
• 🔐 Tool source code update authorization. Updating a tool's Python source code now requires workspace.tools or workspace.tools_import permission, preventing users with only a write-access grant from overwriting executable tool code while still allowing metadata edits. #24513
• 🔐 Channel message ownership enforcement. Updating or deleting messages in group and DM channels now requires message ownership, preventing channel members from tampering with or silently removing other members' messages. #24506
• 🔐 Channel pin write permission. Pinning and unpinning messages on standard channels now requires write permission instead of read permission, preventing read-only users from modifying pinned content. #24521
• 🛡️ Image generation URL validation. Generated image URLs are now validated through validate_url() before fetching, aligning the defense-in-depth posture with sibling image-loading paths. #24518
• 🔐 Model params exposure for read-only users. The per-model API endpoint now strips the params dict (including system prompts) from responses to callers without write access, preventing read-only users from viewing admin-curated model configuration. #24525
• 🛡️ URL parser SSRF bypass. URL validation now rejects backslash, tab, CR, and LF characters that cause urllib and requests/aiohttp to disagree on the target host, closing a parser-confusion SSRF bypass. #24534
• 🛡️ Profile image MIME-type allowlist. Serving profile images from data URIs now enforces a strict MIME-type allowlist (PNG, JPEG, GIF, WEBP by default, configurable via PROFILE_IMAGE_ALLOWED_MIME_TYPES) and sets X-Content-Type-Options: nosniff, preventing stored-XSS through SVG or other executable content types. Commit
• 🔐 File ownership in folder and knowledge attachments. Attaching files to folders or knowledge bases now verifies per-file read access, and folder file lists in chat middleware are filtered to entries the caller can read, preventing unauthorized file content from being injected into RAG context. Commit
• 🔐 Shared chat access for owners and admins. Chat owners can now view and clone their own shared chats without requiring an explicit access grant, and administrators can manage shared chat access controls on any chat. Commit, Commit
• 🧵 Legacy chat history self-healing. Loading legacy conversations now automatically detects broken parent-link graphs in migrated message records, merges missing messages from the embedded JSON history, and backfills them to the normalized table so future loads use the fast path without data loss. Commit
• 🎛️ Filter selector reactivity. Model filter checkboxes now derive state reactively from the current filter list and selected IDs instead of capturing a one-time snapshot at mount, so checkboxes update correctly when model contexts or filter configurations change at runtime. Commit
• 🌐 Portuguese (Brazil) translation updates. Translations for newly added UI items were added along with a consistency pass across existing entries. #24503

Changed

• 🧹 Removed unauthenticated retrieval status endpoint. The unauthenticated GET /api/v1/retrieval/ status endpoint has been removed as dead code — retrieval configuration is already available through authenticated admin endpoints. #24497
• 📋 PR template issue requirement. Pull requests now require a linked Issue or Discussion reference, ensuring better traceability for all contributions. PRs without a linked issue or discussion may be closed without review.

Fixed

• 📜 Chat scroll position on load. Opening a chat conversation now reliably scrolls to the bottom of the message history, fixing a regression caused by content-visibility: auto where estimated element sizes prevented the initial scroll from reaching the true bottom.

Added

• 🔇 Voice Mode mute control. Voice Mode now includes a dedicated mute toggle with an "M" shortcut and auto-unmute after assistant playback, so you can prevent accidental interruptions from background noise without leaving the call overlay. Commit, #23832
• 🚀 Faster prompt list loading. Prompt and prompt-tag pages now load much faster for non-admin users, even with large prompt libraries, because accessible prompts are filtered efficiently in a single database query. #24288, #24258
• ⚡ Faster chat history loading. Chat history maps now load from normalized message records when available, reducing overhead for large conversations while preserving fallback behavior for legacy chats. Commit, #23159
• 🗑️ Delete from conversation menu. You can now delete the current conversation directly from the chat menu with a confirmation step, so cleanup is faster without searching through the full chat list. Commit, #24329
• ⬆️ Scroll to Top shortcut. Long conversations now include a Scroll to Top action in the chat menu when you are away from the top, making it much faster to jump back to the beginning of a chat. Commit, #24133
• 📅 Calendar creation flow. Users can now create calendars from a dedicated modal and a quick-add action in the calendar sidebar, making calendar setup faster from the calendar workspace. Commit, Commit
• 🧭 Unified model unload controls. Administrators can now unload running models from the model selector across supported providers, with loaded-state indicators shown for Ollama and llama.cpp models. Commit
• ⚡ Health check responsiveness. Health and readiness probes now avoid blocking database calls and skip sync session commit handling on probe paths, improving responsiveness and reducing false unready transitions during database pressure. #24380, #24384
• 🎛️ Playground controls panel. The Playground now includes a dedicated Controls toggle so you can adjust parameters like temperature and related settings per chat run without changing model-level defaults. Commit, #24103
• 🎙️ STT file extension controls. Administrators can now configure which audio file extensions are accepted for speech-to-text uploads, helping enforce safer and more predictable upload policies. Commit
• 📷 Remembered call camera selection. Voice call overlay now remembers your last selected camera and restores it automatically when available, so you do not need to reselect it every time you start voice mode. Commit, #24416
• 👥 User group prompt variable. System and template prompts now support the "{{USER_GROUPS}}" variable, which expands to the user’s group memberships so prompts can adapt to role- or access-based context automatically. Commit, #24462
• 🔐 Public chat sharing permission control. Administrators can now control whether users are allowed to create publicly shareable chats through a dedicated permission setting. Commit
• 🔐 Profile image forwarding control. Administrators can now disable external profile image URL forwarding with the "ENABLE_PROFILE_IMAGE_URL_FORWARDING" setting to prevent browser metadata leaks to third-party servers. #24420
• 🏷️ Dynamic header template variables. Administrators can now use chat, message, and user template variables in custom connection and tool server headers so each request can carry per-conversation context automatically. Commit, #24164
• 🛂 MCP OAuth server URL setting. Static OAuth tool server setups can now define a separate OAuth server URL, making discovery and client registration work when authentication endpoints are hosted separately from the tool server URL. Commit, #24164, #24216
• ⚡ Faster memory query performance. Per-user memory lookups and deletions now run much faster at scale because the memory user filter is indexed for existing and new installations. Commit, #23836
• 🚀 Smarter function dependency installs. Function dependencies are now skipped when they were already preinstalled and unchanged, reducing first-load delays and repeated package installation churn after startup. Commit, #24166
• 🔎 Brave LLM Context web search. Administrators can now choose Brave LLM Context as a web search provider to retrieve richer grounded passages with a configurable context token budget. Commit, #24120
• 🗂️ Open Terminal date sorting. Open Terminal now includes sort controls for name and date, with directory-first ordering and modified-time visibility to make file browsing faster. Commit, #24425
• 🎤 Voice mode prompt toggle. Administrators can now explicitly enable or disable the Voice Mode custom prompt behavior from Interface settings, giving finer control over how voice replies are guided. Commit
• 🧮 LaTeX copy shortcut. You can now click rendered LaTeX expressions to copy the raw formula to your clipboard, making it easier to reuse equations outside chat. Commit, #24244
• ✨ Smoother rich text editing. The message composer now defers formatting toolbar refresh work to the next animation frame, reducing typing jank while formatting controls stay accurate. Commit, #24013
• 🖼️ Arena model profile images. Arena models can now reliably display configured profile images instead of falling back to the default icon. Commit, #24412
• 🔄 Replaceable tool embed updates. Pipes and Tools can now overwrite previously emitted rich-UI embeds in-place by passing a replace flag on the embeds event, enabling live dashboards and progress panels that update without stacking duplicate entries.
• ✏️ Assistant response editing and continuation. You can now edit and restructure assistant output items — including reasoning blocks, tool calls, and text content — from a dedicated editor view, and continue generating from the edited state so the model receives full prior context.
• 🔄 General improvements. Various improvements were implemented across the application to enhance performance, stability, and security.
• 🌐 Translation updates. Translations for Chinese, Catalan, Filipino, and Korean were enhanced and expanded.

Fixed

• 🧵 Background code execution reliability. Code execution no longer hangs indefinitely when you switch conversations or browser tabs during a run, and disconnected or inactive sessions now fail with a clear timeout error instead of endless processing. Commit, #24089
• 🎙️ Voice recording MIME fallback support. Voice recording now tries a broader set of browser-supported audio formats and resets halted audio playback cleanly, improving microphone capture reliability in browsers where recording previously failed to start. Commit, #24162
• 🧠 Direct-connection task generation reliability. Title, tags, follow-up, emoji, query, and related task-generation endpoints now work correctly when chats use direct-connection models instead of failing with model-not-found errors. Commit, Commit, #24092
• 🔧 Parameterized URL tool readiness. New chats now wait for model defaults to finish applying before auto-submit, preventing early requests that can miss configured external tools. Commit, #24176
• 🚦 MCP cleanup response reliability. Successful native MCP tool calls no longer get replaced by a 500 "No response returned" error during cleanup, so valid chat responses are now returned consistently. #24105
• 🧵 Active task state recovery. Chat input no longer stays blocked by unrelated background tasks after a response is already complete, and interrupted assistant replies are now marked done more reliably. Commit, #23264
• 📌 Per-user note pinning behavior. Pinned notes are now tracked per user instead of with a shared note-level flag, so one person’s pin changes no longer affect everyone else. Commit
• 🧱 Custom header value coercion. Custom header values are now converted to text before requests are sent, preventing request failures when non-text values are configured. Commit, #24164
• 🔗 HTTP share link copy fallback. Copy Link now works reliably on HTTP deployments by using a selection-based fallback when secure clipboard APIs are unavailable. Commit, #24135
• 🧵 Regeneration loading lock recovery. Chats no longer get stuck in a permanent loading state after failed regenerations because invalid message-tree references are repaired before rendering. Commit, #24424
• 📸 Complete chat image capture. Downloaded chat snapshots now include all messages more reliably through visibility overrides and layout timing improvements during capture. Commit, Commit, #24088
• 🗓️ Calendar deletion lock handling. Calendar deletion now avoids SQLite write-lock contention by revoking calendar access grants in a separate transaction after calendar and event removal. Commit
• 🧩 Filter and internal tool coexistence. Internal tools now remain available when filters add provider-native tools, so filter-added tools no longer replace the built-in tool set during request processing. Commit, #24237
• 🛠️ OpenAPI tool spec compatibility. OpenAPI tool integrations now handle null or non-operation path entries more safely and parse path-level parameters consistently, preventing crashes and improving tool execution reliability across imperfect OpenAPI specs. Commit, Commit, #24376
• 🧰 OpenAPI tool schema parsing. OpenAPI tool imports now ignore non-method path item fields and correctly resolve nested composition schemas, preventing invalid tool parsing for compatible specs. Commit, #23254
• 🌍 Web search proxy compatibility. DuckDuckGo search now respects configured proxy environments more reliably, and trust-env behavior defaults to enabled so proxied web loading does not fail unexpectedly. Commit, #23810
• 🧾 Final markdown render flush. Streaming markdown now forces an immediate final parse when generation completes, preventing stale or partially rendered final output. Commit, #24088
• 🛡️ Webhook avatar URL validation. Channel webhook profile image URLs are now validated before saving, preventing invalid or unsafe avatar URLs from being accepted. #24370
• 📝 System prompt editor scroll stability. Editing large system prompts no longer jumps the page back to the top, so you can continue editing long model prompts without losing your place. Commit, #23999
• 🔎 Knowledge content search matching. Knowledge file search now matches both file titles and file content, so relevant files are easier to find even when the keyword is not in the filename. Commit, #24297
• ⚡ Faster prompt tag loading. Prompt tag filters now load much faster for non-admin users by fetching only accessible tags directly, avoiding per-prompt permission checks and unnecessary prompt data loading. #24287, #24258
• 🧾 Citation overflow badge readability. Citation overflow badges now keep multi-digit counts readable in a single compact bubble, preventing wrapped or cramped display when many sources are attached. Commit, #24391
• 🌐 Yandex result parsing guard. Yandex web search no longer fails when some XML fields are missing in individual results, so valid search responses continue to return usable sources instead of dropping to no results. Commit, #24243
• 🎧 Safer voice transcription uploads. Empty or failed voice conversions are now rejected with a clear error instead of continuing as malformed audio, reducing failed transcription attempts from corrupted or near-empty recordings. Commit
• 🎚️ Safer chunked STT processing. Chunked transcription now limits worker concurrency when no external STT engine is configured, reducing failed transcription behavior caused by overly parallel local processing. Commit
• 📈 Imported chat analytics coverage. Imported ChatGPT conversations now carry proper model and timestamp metadata and reliably write imported messages into analytics-backed storage, so imported chats are reflected correctly in Admin Analytics totals and model usage views. Commit, #24263
• 📎 Knowledge collection persistence. Knowledge collections selected with the chat input selector now remain attached after reloads and chat switches, so attached context no longer disappears between sessions. Commit, #24142
• 🧹 Embedding model name trimming. Embedding model names entered in Documents settings now automatically trim surrounding whitespace, preventing silent embedding failures caused by accidental trailing spaces. Commit, #24090
• 🔊 PCM TTS playback compatibility. Text-to-speech audio returned as PCM is now converted to MP3 before delivery, so speech playback works correctly with providers that return raw PCM audio. Commit, #24143
• 🪟 Windows PostgreSQL startup compatibility. Windows pip installs using PostgreSQL now start reliably with psycopg async by using a compatible event loop policy instead of the default Proactor loop. Commit, #24152
• ⏱️ MCP OAuth timeout control. OAuth token exchanges for MCP tool server connections now respect the configurable client timeout setting, reducing callback failures with slower providers. Commit, #24138
• 📄 PDF text search restoration. PDF previews now include a proper text layer so browser text selection and find-in-page search work again instead of rendering only image-like pages. Commit, #24149
• 🔑 Android password autofill support. Password inputs now expose the expected field name metadata, improving password manager autofill reliability on Android login pages. Commit, #24137
• 🎤 Non-blocking STT processing. Speech-to-text transcription no longer blocks the server event loop during both live transcription and uploaded audio file processing, so other users can continue using chats and live connections under concurrent load. #24338, #24379, #24169
• 🌐 SearXNG language parameter handling. Web searches now send clean multi-language values without trailing separators, so SearXNG requests no longer fail when multiple languages are selected. Commit, #24198
• 📂 File modal open-link behavior. Clicking a file name in the file details modal now opens the correct file content in a new tab for uploaded file items instead of failing to open. #24125
• 📎 Chat attachment display recovery. Files attached by chat tools now appear reliably in assistant responses, including non-image file attachments that were previously hidden. Commit, #24332
• 🧱 Channel embed rendering guard. Channel message embeds now appear only for model-generated messages and are suppressed in reply previews, preventing unintended embed expansion in regular user posts. Commit
• 🛡️ Safer image URL handling. Untrusted external image URLs are now blocked in profile and rich-text image rendering paths, preventing unintended client-side requests to attacker-controlled domains. #24420
• 🛡️ Sanitized spreadsheet HTML previews. Spreadsheet previews now sanitize generated HTML before rendering, reducing the risk of unsafe content being executed when opening office files in chat and file modals. #24468
• 🧰 Multi-worker tool update consistency. Updated tool code now refreshes correctly across workers without requiring a full service restart, so chats no longer run stale tool versions after edits. Commit, #24400, #24433
• 🧩 Default model metadata env parsing. The "DEFAULT_MODEL_METADATA" environment setting is now parsed and applied correctly, including when persistent config is disabled, so configured model capability defaults are no longer ignored at startup. Commit, #24319
• 🔄 Config import and Redis consistency. Imported settings now remain effective after import because configuration values are immediately synchronized to Redis, preventing stale cached values from overriding imported permissions and settings. Commit, Commit, #24346
• 🔔 LDAP signup webhook parity. New accounts created through LDAP now trigger the same signup webhook notifications as password and OAuth signups, so downstream provisioning and audit automations receive consistent events. Commit, #24377
• 🦆 DDGS auto-backend compatibility. Web search now handles DDGS automatic backend selection correctly and safely falls back on empty or rate-limited responses, preventing search failures in newer DDGS versions. Commit, #24188
• 🤖 Automation update tool reliability. Updating existing automations in chat now works correctly instead of failing with a missing method error. Commit, #24405
• 📅 Calendar event permission checks. Calendar event update and delete actions now handle ownership and access checks more reliably, returning clean access-denied results when appropriate. Commit
• 🛡️ Safer cached file delivery. Cached files that are not recognized as image, audio, or video now download as attachments instead of rendering inline, reducing the risk of unsafe browser content handling. Commit
• 📊 Streaming token analytics accuracy. Admin Analytics now records and aggregates token usage correctly for streaming chats across Responses API and OpenAI-compatible providers, including fallback handling for provider usage formats that use prompt and completion token keys. Commit, Commit, #24217, #24294, #24241
• 🔗 Admin shared chat links. Admin users can now open and clone shared chat links reliably without 401 errors because shared links are now resolved by share ID first, with safe fallback behavior for direct chat ID access. Commit, #24311, #24096
• 💾 Chat settings persistence. System prompts and other chat-level settings now persist correctly after creating a new chat and reloading, preventing prompt loss in affected conversations. Commit, #24193, #24270
• 💾 Chat control autosave persistence. Changes to chat controls like system prompt, parameters, and attached files are now autosaved on existing chats, so edits are no longer lost when you refresh or navigate away before sending a message. Commit, #23897
• ☁️ OneDrive option visibility. OneDrive personal and business upload options now appear only when their respective client IDs are configured, preventing unavailable options from showing in attachment menus. Commit, #24411
• 🧠 Reasoning content leakage prevention. Tool-call round-trip messages no longer wrap reasoning text in <think> tags inside the content field, preventing raw markup from leaking into chat output for models whose templates don't strip think tags (e.g. Gemma 4). #23844
• 🖥️ Terminal sidebar auto-open guard. The terminal sidebar no longer auto-opens on chat load when OpenTerminal is disabled, because stale terminal IDs saved on models or in localStorage are now validated against available terminal servers before use.
• 🔁 Single-confirmation connection deletion. Deleting OpenAI, Ollama, tool server, and terminal server connections now shows exactly one confirmation dialog instead of two, because redundant outer confirmation wrappers were removed from all connection components.
• 🧵 Reliable background task cleanup. The chat task lifecycle now deregisters completed tasks before checking for remaining siblings, eliminating the off-by-one timing issue that could leave the stop button stuck or dismiss the sidebar activity spinner too early.

Changed

• ⚠️ Database Migrations: This release includes database schema changes; we strongly recommend backing up your database and all associated data before upgrading in production environments. If you are running a multi-worker, multi-server, or load-balanced deployment, all instances must be updated simultaneously, rolling updates are not supported and will cause application failures due to schema incompatibility.
• 🚪 Signout request method. The signout endpoint now requires POST instead of GET, so custom clients and integrations must update logout calls accordingly. #24420

Added

• 🧠 PaddleOCR-vl document extraction. Administrators can now use PaddleOCR-vl as a content extraction engine for document processing, with configurable API URL and token settings in document retrieval configuration. #23945
• 🔥 Firecrawl v2 API. Firecrawl web loading now uses the v2 API directly with proper retry logic, exponential backoff on rate limits, and configurable timeout handling, improving reliability for both cloud and self-hosted Firecrawl setups. #23934
• ⏰ Calendar event reminder customization. Calendar events now support a configurable reminder_minutes parameter, allowing models to set custom reminder durations instead of the default 10-minute notification.
• 🔑 Custom API key header. Administrators can now configure a custom header name for API key authentication via the CUSTOM_API_KEY_HEADER environment variable, enabling compatibility with reverse proxies that use the Authorization header for their own authentication.
• 🔌 OAuth session disconnection. Users can now disconnect OAuth sessions for specific providers (e.g., MCP connections) through a new API endpoint, enabling cleaner re-authentication workflows.
• 📚 Source overflow indicator. The Sources button now shows a +N badge when more than three sources are available, so hidden sources are clearly indicated in chat responses. #23918
• ⚡ Model list performance. Model list API responses now strip base64 profile image data from paginated results, and model tags are fetched via a dedicated efficient query instead of loading all models. This significantly reduces payload sizes and improves workspace Models page responsiveness.
• ⚡ Model avatar cache reuse. Default model profile images now redirect to a shared static path instead of reading files from disk per-request, reducing repeated I/O and improving loading efficiency when multiple models use the fallback icon. #24015
• 🚀 Faster splash image loading. Splash screen images are now prioritized earlier during page load with preload links, improving first-load LCP behavior and reducing delayed image discovery. #24011
• 🧵 Streaming markdown performance stability. Streaming responses now stay more memory-efficient by preventing repeated cleanup callback registration during markdown updates. #24048
• 📊 Telemetry gauge reliability. OpenTelemetry user gauge callbacks now use synchronous database queries directly, eliminating cross-thread async bridging issues that could cause silent failures in metric collection.
• 🔄 General improvements. Various improvements were implemented across the application to enhance performance, stability, and security.
• 🌐 Translation updates. Translations for Finnish, Korean, Portuguese (Brazil), and Dutch were enhanced and expanded.

Fixed

• 🔧 MCP task cancellation stability. Interrupted MCP tool calls no longer cause CPU spikes or runaway cleanup behavior. MCP client disconnection now runs in the same asyncio task as connection, respecting cancel scope constraints, and chat-active events are properly shielded during cancellation.
• 🧠 Persistent chat skill injection. Skills mentioned in persisted chats now inject into the system prompt reliably. Skill ID extraction from <$skillId|label> message tags is now handled server-side, and tags are stripped before messages reach the model.
• 🗄️ Async database driver migration. The async database backend now uses psycopg (v3) instead of asyncpg, eliminating brittle SSL parameter translation and supporting native libpq connection strings including sslmode, options, and target_session_attrs without any stripping or conversion.
• 🐳 Docker ARM64 reliability. Docker images built for arm64 via QEMU cross-compilation no longer produce 0-byte corrupted Python dependencies. UV_LINK_MODE=copy is now set in the Dockerfile to force reliable file installation.
• 🛠️ Throttle request handling. Request handling no longer fails when user activity status updates are throttled with a non-zero interval. #23979
• ✍️ Rich text extension conflicts. Rich text editing no longer triggers duplicate extension conflicts for lists and code blocks, improving editor stability. #24009
• 🔇 Fetch URL null content guard. The fetch_url built-in tool now safely handles None content returned by web loaders instead of crashing with a TypeError.
• 🌐 OAuth discovery fallback. OAuth protected resource discovery now falls back to well-known RFC 9728 URIs when the WWW-Authenticate header doesn't contain a resource_metadata link, improving compatibility with more MCP server implementations.
• 🔐 Session token resolution. Session user endpoints now gracefully handle missing Authorization headers by falling back to cookie and request state tokens, preventing errors when used behind forward-auth proxies.
• 🚫 Direct API error responses. Chat completion requests without a WebSocket channel (direct API calls) now return proper HTTP error responses instead of silently returning null on failure.
• 📡 Cancelled response stream cleanup. Cancelled chat generation now explicitly closes the upstream response body iterator, preventing orphaned async generators from spinning in anyio internals.
• 🔒 Model profile image path safety. Model profile image endpoints now validate and sanitize static asset redirect paths, preventing path traversal through encoded dots or malicious URL patterns.
• 📊 RAG template validation UI. The Documents settings page now displays a warning when RAG templates contain multiple [context] or {{CONTEXT}} placeholders, helping administrators avoid accidental redundant context injection.
• 🧩 Automation model detection. The create_automation tool now correctly detects the current model ID even when model_id is not yet set in metadata, falling back to the model dict.
• 🔄 MCP resource content handling. MCP tool results with the resource content type are now correctly detected and their resource.text payload is extracted, instead of being silently ignored.
• 🔄 Ollama and OpenAI metadata forwarding. Ollama and OpenAI proxy routes now forward request metadata to downstream handlers, ensuring consistent context propagation.
• 🧹 Browser-native message virtualization. The custom JavaScript-based message culling system (spacers, height caching, scroll listeners) was replaced with CSS content-visibility: auto, letting the browser natively skip rendering of off-screen messages without destroying component trees. This eliminates scroll jump artifacts and mount/destroy thrashing while preserving memory efficiency in long conversations.
• 📻 Redis notification compatibility. Redis pub/sub now handles missing or incompatible client_name support more gracefully, preventing connection errors with certain Redis configurations.

Changed

• ⚙️ psycopg v3 async driver. The async database driver has been migrated from asyncpg to psycopg (v3). This is a transparent change for most deployments, but custom connection strings with asyncpg-specific parameters may need adjustment.
• 🔑 Brotli dependency update. Brotli has been updated to address CVE-2025-6176.
• 🖥️ Windows startup script. The Windows startup batch script has been updated for improved compatibility.

Fixed

• 🐛 Missing aiosqlite dependency. Fixed a startup crash (ModuleNotFoundError: No module named 'aiosqlite') when installing Open WebUI via pip or uv by adding the missing aiosqlite package to pyproject.toml. The dependency was listed in requirements.txt but not in the published package metadata, so it was not installed automatically. #23916
• 🐛 Missing asyncpg dependency. Added the missing asyncpg package to pyproject.toml to prevent the same startup crash for PostgreSQL users. Like aiosqlite, it was present in requirements.txt but absent from the published package dependencies.

[!CAUTION]
⚠️ Database Migrations: This release includes database schema changes; we strongly recommend backing up your database and all associated data before upgrading in production environments. If you are running a multi-worker, multi-server, or load-balanced deployment, all instances must be updated simultaneously, rolling updates are not supported and will cause application failures due to schema incompatibility.

Added

• 🖥️ Official Open WebUI Desktop App. Open WebUI is now available as a native desktop app for Mac, Windows, and Linux. No Docker, no terminal, no setup. Runs Open WebUI locally without any server setup, or connects to your existing remote Open WebUI instances. Switch between multiple servers instantly from the sidebar. Comes with a system-wide floating chat bar (Shift+Cmd+I on macOS, Shift+Ctrl+I on Windows/Linux), system-wide push-to-talk, offline support after first launch, automatic updates, and zero telemetry. #8262, Desktop
• 🤖 Scheduled chat automations. You can now schedule the AI to run tasks automatically on a recurring basis: daily digests, periodic reports, anything you'd otherwise need to remember to ask for. Create and manage automations from the Automations page or directly in chat, with full run history and manual trigger controls. #23303, Commit, Commit, Commit, Commit
• 🧰 Automation tools in chat. Built-in chat tools can now create, update, list, pause, and delete scheduled automations directly in conversation when automation access is enabled. Commit
• ⏱️ Automation scheduling limits. Administrators can now set "AUTOMATION_MAX_COUNT" and "AUTOMATION_MIN_INTERVAL" to limit how many automations each non-admin user can create and prevent overly frequent schedules that could overload the system. Commit
• 📋 Task management tool. AI models can now create, update, and track tasks within a chat conversation, breaking down complex requests into manageable steps with real-time status updates. Commit
• 🗓️ Calendar workspace and event management. Open WebUI now has a full Calendar workspace. Create and manage events, set up recurring schedules, get reminders via in-app toasts or browser notifications, and see your scheduled automations alongside your calendar. #23880
• 🔔 Calendar reminders and alerts. Calendar events now support reminder options from no alert up to one hour before start time, with upcoming alerts delivered through in-app toasts, browser notifications, and optional webhooks while avoiding duplicate sends. Commit
• ⚙️ Scheduler reminder configuration. Administrators can now configure calendar reminder processing with "SCHEDULER_POLL_INTERVAL" and "CALENDAR_ALERT_LOOKAHEAD_MINUTES", while existing "AUTOMATION_POLL_INTERVAL" setups continue to work as a legacy fallback. Commit
• ☁️ Azure responses support. Azure OpenAI connections now support the newer "/openai/v1" format, enabling chat, responses, and proxy calls to work correctly with that endpoint style. #23484
• 🤖 Ollama responses support. The Ollama proxy now supports the Responses API, letting clients use "/v1/responses" directly with Ollama-hosted models through Open WebUI. #23483
• 🧩 Responses tool output rendering. Built-in tool outputs in Responses API flows now render more consistently so downstream chat output is easier to interpret. Commit, #23482
• 🔎 Responses citation visibility. Responses API flows now emit citation sources more consistently, making linked references easier to preserve and display in chat output. Commit, #23774
• 📎 Attach previously uploaded files. The chat input menu now includes a Files tab for browsing and attaching previously uploaded files, eliminating the need to re-upload files you have already shared. Commit
• 🧷 Default model terminal selection. Workspace model editors can now preselect an Open Terminal connection, so new chats automatically start with the model’s configured terminal ready to use. Commit, #23605
• 🎙️ Mistral TTS support. Mistral can now be used as a text-to-speech provider, with admin settings for the API key, base URL, voices, and model selection. Commit
• 🎧 STT preprocessing bypass option. Administrators can now enable "AUDIO_STT_SKIP_PREPROCESSING" to send audio files directly to the speech-to-text backend, reducing memory and CPU consumption during large uploads for better transcription performance and stability on constrained deployments. #23661
• 🗑️ Admin model deletion. Administrators can now delete Ollama models directly from the model selector menu, making it easier to clean up unused or unwanted models. Commit
• 🔌 Backend outlet filters for local and persisted chats. Pipeline and function outlet filters now run reliably in backend completion flows for persisted chats and temporary local chats. #3237, Commit
• 🎨 Emoji shortcode support. Typing a colon in the chat input now opens an emoji suggestion menu, making it easier to insert emojis using shortcodes like :wave:. Commit
• 📌 Recently used emojis. The emoji picker now shows your most recently used emojis at the top, making it faster to find emojis you use often. Commit
• 👆 Swipe to reply on mobile. Swiping right on a message now triggers a reply, making it easier to respond on touch devices with a natural gesture. Commit
• 📱 Screen-awake voice recording. Voice recording now keeps the screen awake during active dictation and safely re-acquires wake lock after visibility changes, helping prevent long transcriptions from being cut off on mobile devices. #23145
• 🔔 Unread chat indicators. Sidebar chats now show unread status and are marked as read when opened, making it easier to spot conversations with new activity. Commit
• 🔌 WebSocket reconnect status feedback. Open WebUI now warns when the real-time connection drops and confirms when it reconnects, while avoiding a reconnect message on the initial page load. Commit
• 📍 Pinned notes in sidebar. Notes can now be pinned to the sidebar for quick access, and you can also create a new note directly from the pinned notes section. Commit, Commit
• 🗂️ Model selector focus. The model selector now resets its search only when it opens, making the popup feel more predictable while still focusing the search field automatically. Commit
• 🗂️ Model selector layout. The model selector now behaves more predictably as a custom popup, and the completions playground uses a simpler model picker for easier selection. Commit
• 🎚️ Active filter valve shortcut. Active filter badges now expose valve configuration directly in the chat input area, so filter tuning is faster during conversations. Commit, #23811, #23813
• 🎨 Theme updates. Other windows can now update the app theme directly, keeping the interface in sync when theme changes are triggered externally. Commit
• 🚀 Async performance and responsiveness improvements. The core backend database and request paths now run asynchronously across the application, massively improving responsiveness and performance under concurrent load and reducing request blocking during heavy activity. Commit, Commit
• ⚡ Drawer performance and memory optimization. Drawer interactions now stay smoother over long sessions by removing stale keyboard listeners on teardown, which reduces memory growth and avoids accumulated event handling overhead. #23724
• 🚀 Chat history memory culling. Long conversations now stay responsive no matter how many messages they contain. Off-screen messages are unloaded automatically and reloaded as you scroll, keeping memory usage low and the UI smooth on both desktop and mobile. #23067, Commit, Commit
• 🧵 Async file and knowledge processing performance. File processing, knowledge reindexing, and channel message helper paths now consistently await async operations, preventing skipped processing steps and improving reliability and performance of indexing and tool responses. Commit
• 🚀 Persistent chat payload efficiency. Persisted chats now use server-side history loading instead of repeatedly resending full message payloads, improving multimodal performance and reducing stale-history overwrite risk across devices. #19064, Commit, Commit
• 🧵 Non-blocking file storage operations. Uploading, reading, transcribing, and deleting files now offloads storage I/O to background threads, keeping the application responsive during file-heavy workflows. Commit
• 🏎️ Streaming response performance. Streaming responses now process each output line in a single step instead of two separate yields, reducing async overhead and improving responsiveness during long-running generations. #23266
• 🔎 Faster mention parsing. Chat text with HTML-like content, file paths, or tool output now parses mentions more efficiently, which helps keep typing and rendering responsive in messages that contain many '<' characters. #23551
• 🧪 Code block rendering performance. Code blocks now reuse a shared HTML unescape helper, reducing extra browser work when displaying encoded output in chat. #23553
• 🚀 Inline code rendering performance. Inline code tokens in streaming responses now fade in with a lightweight CSS animation, making chat output feel smoother while reducing interface overhead during rapid token updates. #23258
• 🎞️ Streaming text token animation performance. Streaming text tokens now use a lightweight CSS intro animation, making output feel smoother while reducing transition overhead and preventing tokens from fading out when generation completes. #23257
• 🎯 Template token scan optimization. Streaming responses now skip unnecessary token-replacement processing when no template markers are present, reducing per-update overhead and keeping chat output smoother during rapid generation. #23161
• 🔬 Chinese text processing guard performance. Streaming responses without Chinese characters now skip unnecessary Chinese-format processing checks, reducing per-update overhead and keeping output smoother during rapid generation. #23162
• 🧠 HTML entity decode performance. Streaming text decoding now avoids repeated document parsing for HTML entity handling, reducing memory churn and improving responsiveness in token-heavy chat output. #23165
• 🏷️ Chat title update performance. Chat title updates now run in a single database operation instead of multiple round trips, improving responsiveness and reducing overhead when titles are generated or renamed. #23214
• 📂 Faster chat list queries performance. Chat and folder lists now load more efficiently by fetching only the fields needed for sidebar views, improving responsiveness when browsing large conversation histories. Commit
• 📈 Sidebar memory optimization. Sidebar chat items now use shared drag-preview resources and safer listener cleanup, reducing memory growth and keeping large chat lists more responsive during long sessions. #23209
• 🧠 Image viewer memory optimization. Viewing images and SVGs now uses significantly less memory and performs faster, keeping the application snappy and responsive even when browsing through many media files during extended sessions. #23236
• 📡 Optimized user activity tracking performance. User activity updates now use a single database query instead of multiple operations, improving response times across all authenticated requests. #23215
• 👥 Faster channel thread author loading. Channel thread responses now load author details in a single batch query, reducing database overhead and improving responsiveness in threads with many participants. #23795
• 💨 Optimized shared chat deletion. Deleting shared chats by user is now faster and more memory-efficient by only loading necessary data. #23216
• 🗃️ Faster chat tag loading. Chat tag lookups now load only the metadata needed instead of full chat payloads, improving responsiveness for chats with large histories. #23798
• 📎 Faster chat file deduplication. Attaching files to chat messages now checks duplicates more efficiently, reducing overhead when handling larger file lists. #23800
• 📈 Faster message diff checks. Chat message and status updates now compare content more efficiently during streaming, making active conversations feel smoother and more responsive. #23370
• ⚖️ Faster deep equality checks. Chat message updates, model selection, note editing, code block refreshes, and rich text state comparisons now use deep equality checks that reduce unnecessary UI work and improve responsiveness in active sessions. #23845
• 🏃 Faster knowledge access updates. Updating access grants for knowledge items now completes with less backend overhead, making permission changes apply more quickly. #23799
• 🧹 Mermaid render cleanup performance. Mermaid diagrams now always clean up temporary render elements after failures, reducing DOM buildup and keeping repeated rendering more stable over time. #23727
• 🖼️ Model image lookup efficiency. Model profile image requests now reuse the current request database session, reducing per-request overhead and improving response efficiency. #23796
• 👤 User endpoint query reduction. Session-based user settings and status endpoints now avoid redundant user re-fetches, reducing unnecessary database load while preserving behavior. #23794
• 🚦 Faster startup performance. Open WebUI now checks for Torch MPS support only on macOS, avoiding unnecessary startup work on other platforms. #23438
• 🛡️ Redis timeout consistency. Redis connections now honor the "REDIS_SOCKET_CONNECT_TIMEOUT" setting across standard and cluster setups, helping workers fail faster when Redis is unreachable. #23572
• 🧰 AIOHTTP pool controls. Administrators can now tune shared outbound HTTP connection behavior with "AIOHTTP_POOL_CONNECTIONS", "AIOHTTP_POOL_CONNECTIONS_PER_HOST", and "AIOHTTP_POOL_DNS_TTL" for better control under high concurrency. Commit
• ⏱️ MCP tool server timeout configuration. Administrators can now configure request timeouts for MCP tool server connections via the AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER environment variable. Commit
• 🎫 Static OAuth tool authentication. Tool server authentication now works reliably for both "oauth_2.1" and "oauth_2.1_static" connection types, so OAuth-backed tool access is correctly detected and forwarded during chat requests. Commit
• 🗄️ Configurable storage local cache. Administrators can now disable persistent local caching for cloud-backed uploads with the "STORAGE_LOCAL_CACHE" setting, reducing local disk usage by cleaning temporary upload copies after processing. Commit
• 🚪 Back-channel logout. OpenID Connect providers can now trigger centralized logout through the "ENABLE_OAUTH_BACKCHANNEL_LOGOUT" setting, helping administrators invalidate user sessions more reliably across connected devices. Commit
• 🛡️ Expanded security header controls. Administrators can now configure additional browser security headers, including "CONTENT_SECURITY_POLICY_REPORT_ONLY", "CROSS_ORIGIN_EMBEDDER_POLICY", "CROSS_ORIGIN_OPENER_POLICY", and "CROSS_ORIGIN_RESOURCE_POLICY", for stricter and more flexible deployment hardening. Commit
• 🖼️ Image MIME fallback option. Administrators can now enable "ENABLE_IMAGE_CONTENT_TYPE_EXTENSION_FALLBACK" so image-to-base64 conversion can still detect common image types by file extension when MIME metadata is missing, improving compatibility on minimal container images and older file records. Commit
• 🛡️ Public sharing permissions. Public channels, models, notes, prompts, and tools now respect allowed access grants more consistently, helping administrators control who can share content more safely. Commit
• 🆔 Skill lookup by ID. Skill instructions now include each skill’s ID, and the skill viewer now finds skills by ID in a case-insensitive way so attached skills are identified more reliably in chats. Commit
• 🏷️ Source context metadata. Retrieval source context now includes each source’s resource type and resource ID metadata, helping downstream model workflows preserve richer source identity during processing. Commit
• 🗂️ Feedback filtering. Administrators can now filter feedback history by model and export only the feedback they need. Commit
• 📤 CSV feedback export. Feedback history can now be exported as either JSON or CSV, making it easier to analyze feedback in spreadsheet tools. Commit
• 📝 Optional GET audit logging. Administrators can now enable auditing for GET requests with the "ENABLE_AUDIT_GET_REQUESTS" setting when they need fuller request visibility. Commit
• 🕒 Model access updates. Changing a model’s access grants now updates its timestamp, so recently modified models stay easier to find and sort correctly. Commit
• 💬 Queued message handling. Queued chat messages now send more reliably without advancing the queue too early, keeping follow-up prompts in the intended order. Commit
• 🔒 Rendered content safety. Placeholder descriptions and the pending account notice now render markdown with safer sanitization ordering, reducing the risk of unsafe HTML appearing in these views. Commit
• 🛡️ Safer placeholder rendering. Chat placeholder descriptions and the pending account notice now sanitize rendered markdown more consistently, reducing the risk of unsafe content being shown in these views. Commit
• 🧮 Usage analytics accuracy. Token usage is now normalized before chat messages are saved, so model and user usage reports stay accurate across OpenAI-compatible providers. Commit
• 🧩 Richer Anthropic tool results. Anthropic-compatible tool calls now preserve more tool result content types, including images and structured search or document outputs, so models can use fuller tool context instead of receiving only plain text fragments. #23188, Commit
• 🖼️ ComfyUI request reliability. ComfyUI image generation and editing now use shared async connections with consistent SSL handling, making image uploads and workflow runs more reliable under concurrent load. Commit
• 🎛️ Reranking batch size control. Administrators can now set "RAG_RERANKING_BATCH_SIZE" in Documents settings to control reranking workload size, helping balance retrieval speed and resource usage for their deployment. Commit
• 🔗 Shared chat access controls. You can now control who has access to a shared chat by granting access to specific users or groups, instead of sharing with anyone who has the link.
• 🔄 General improvements. Various improvements were implemented across the application to enhance performance, stability, and security.
• 🌐 Translation updates. Translations for Irish, Catalan, German, Simplified Chinese, Hindi, and Portuguese (Brazil) were enhanced and expanded.

Fixed

• 🛡️ Model description XSS protection. Model descriptions shown in chat placeholders are now sanitized before rendering, preventing malicious links from executing scripts and helping protect user sessions from takeover. #23621
• 🧠 Memory search filtering. Memory search now correctly filters by the query text instead of returning unrelated results. Commit, #23826
• 📊 Shared chat analytics consistency. Usage and message-count analytics now count assistant activity consistently across regular and shared chats, improving accuracy in model, user, chat, and time-based reporting views. Commit
• 🧭 Safer in-flight chat navigation. Sending a message no longer overwrites your active chat or causes duplicate background notifications when you switch conversations before a response finishes. Commit
• 🗣️ Pipeline error detail visibility. Pipeline inlet and outlet failures now preserve and surface provider error details more reliably in chat error messages, making troubleshooting failed requests much clearer. Commit
• 📨 Shared chat event routing. Message update and send events now target the chat owner’s event channel, so shared chats receive the correct real-time updates instead of routing events to the acting user. Commit
• 🔐 Consistent outbound SSL handling. External requests for tools, functions, terminals, webhooks, retrieval loaders, audio provider discovery, and OpenAI-compatible embedding calls now consistently apply the configured SSL client setting, improving reliability for deployments that require custom certificate or verification behavior. Commit, Commit
• 🖼️ Image SSL setting support. Image generation now respects the configured SSL session setting, preventing avoidable connection failures in strict certificate environments. Commit, #23777
• 🗂️ Folder ownership assignment hardening. Folder create and update inputs now reject unexpected extra fields, preventing clients from overriding protected values like ownership through mass-assignment payloads. #23648
• 🔐 Knowledge file deletion ownership checks. Collaborators with knowledge base write access can no longer permanently delete files they do not own, preventing unintended file removal across other linked chats and knowledge bases. Commit, #23636
• 🗑️ Knowledge deletion reliability. Deleting a knowledge base by ID now completes reliably without unexpected failures. Commit, #23776, #23814
• 🔐 OAuth 2.1 PKCE enforcement. OAuth 2.1 providers now default to S256 PKCE even when discovery metadata omits supported challenge methods, preventing login failures with providers that require PKCE by default. #23667, Commit
• 🔐 Static OAuth scope handling. Static OAuth credential flows now prioritize administrator-defined scopes and handle OAuth 2.1 static flow behavior more reliably. Commit, #23668, #23696, #23783
• 🔐 Static OAuth tool registration reliability. Static OAuth tool server registration now resolves and uses saved admin credentials more reliably, preventing registration failures when valid client credentials are provided. #23670, Commit, Commit
• ⏳ OAuth token expiry fallback. OAuth sessions now always store a safe expiry value even when providers omit "expires_in" or "expires_at", so token refresh checks continue working and tool calls are less likely to fail later with unexpected authorization errors. #23669, Commit
• 🔑 Anthropic x-api-key model access. Anthropic-compatible clients can now authenticate with the "x-api-key" header across all relevant API routes, so model listing requests like GET "/api/v1/models" no longer fail with unauthorized errors. #23319, Commit
• 🔑 SSO password option visibility. Account settings now hide password change controls when password-change access is disabled, avoiding misleading password options for SSO-focused setups. #15292, Commit
• 🔑 Open Terminal MCP authentication. Open Terminal MCP tool calls now include the configured API key when calling internal routes, preventing unauthorized errors for commands like file reads and command execution. #106
• 🧯 Provider error freeze recovery. Task-based chat requests now surface provider HTTP errors through normal failure handling, so content-filter and other upstream 4xx responses no longer leave chats stuck in a perpetual loading state. #23663, Commit
• 🔄 Immediate outlet filter updates. Assistant messages modified by outlet filters now appear correctly as soon as streaming completes, without requiring a page refresh. #23829
• 🌊 Middleware cancellation reliability. Long-running requests now complete more reliably by preventing middleware-level cancellations from interrupting in-flight database and embedding work, reducing unexpected failures and noisy error logs when connections close early. #23709
• 🚦 Async vector search responsiveness. File processing, memory updates, and knowledge retrieval no longer block the server event loop during vector database operations, so other chats and requests stay responsive while indexing or search is running. #23706
• 🗒️ Notes chat llama.cpp compatibility. Notes AI chat no longer sends empty assistant prefill messages that can conflict with reasoning-enabled llama.cpp responses, preventing immediate 400 errors in Notes conversations. Commit, #23703
• 🧩 Ollama thinking field preservation. Messages modified by filters now keep the Ollama "thinking" field when sent to the model, so reasoning-aware workflows and custom filter-based passthrough setups work reliably. Commit, #22508
• 🧾 Reasoning content preservation. Assistant tool-call messages now retain reasoning content across turns, improving reliability for reasoning-heavy model workflows. Commit, #23175, #23742
• 🧭 Background task scoping for new chats. Chat title and auto-tag generation now run only for the first message of a new conversation and only once in multi-model responses, preventing duplicate or incorrectly triggered background tasks in follow-up flows. Commit
• 📚 Channel document context retention. Channel conversations now preserve and load the correct stored message history so model responses can use uploaded and retrieved document context more reliably. #23686, Commit, Commit
• ⏳ Interrupted response recovery. Assistant placeholder messages now start as incomplete and recover more safely after interrupted generations, preventing silent empty replies after refreshes or dropped requests. #23176, Commit, Commit
• 🧰 Large tool result rendering. Tool call details now display large result payloads reliably in chat instead of intermittently showing empty output for bigger tool responses. #18743, Commit
• 🧼 Null-byte document sanitization. PDF and other document ingests now sanitize null bytes and invalid surrogate characters before pgvector writes, preventing PostgreSQL upload failures and allowing affected files to index successfully. #22992, Commit
• 📝 Knowledge text editor stability. The Knowledge "Add Text Content" modal now uses a plain text editor, avoiding current rich text editor issues and keeping drafting behavior consistent with existing knowledge editing flows. Commit
• 🎤 STT SSL setting consistency. Speech and related outbound media requests now consistently use shared async HTTP sessions and honor the configured SSL verification setting, improving compatibility with self-signed deployments. #23672, Commit
• 🎙️ Mistral speech input format. Mistral speech-to-text requests now use the correct chat-completions audio input format for better compatibility. Commit, #23822
• 🖼️ Optional image size parameter. Image generation no longer sends the "size" field when no size is configured, improving compatibility with providers that reject unsupported size arguments. #23611, Commit
• 🔎 FireCrawl timeout reliability. FireCrawl web loading now uses direct scrape requests and improved timeout handling for single-URL fetches, reducing empty results and premature timeout failures with local FireCrawl setups. #23411, Commit
• 🖱️ Custom action icon drag prevention. Custom user-added action icons in chat responses are no longer accidentally draggable, so clicks and hover interactions behave consistently with built-in action icons. #23412
• 🖼️ Image URL conversion reliability. Sending image URLs to AI models no longer fails with "cannot pickle 'coroutine' object" errors, so image inputs now convert to base64 reliably during request processing. #23685
• 📂 Channel input menu dismissal. In Workspace Channels, the message input dropdown now closes immediately after selecting "Upload Files" or "Capture", matching normal chat input behavior and preventing the menu from staying open unnecessarily. #23684
• 📋 Clipboard copy scroll stability. Copying content with the fallback clipboard method no longer triggers unwanted page scrolling during focus, keeping your current reading position stable. Commit
• 🖼️ Profile image URL validation. Profile saves now accept valid Open WebUI profile-image paths, trusted external HTTP(S) avatar URLs, and safe raster data-image formats while rejecting unsafe URL patterns that could be abused. #23389
• 👤 Partial user profile updates. User update API requests can now modify only the fields you provide, so administrators no longer need to resubmit unchanged name, email, and profile image values when changing a single setting like role. #23424, Commit
• 🚨 Provider SSE error visibility. Provider failures returned with streaming content types are now surfaced as proper API errors and logged clearly, so issues like context-window limits no longer fail silently during chat generation. #23379
• 🧵 Queued prompt race prevention. Chat request queues now prevent overlapping processing for the same chat, avoiding duplicate queue handling when multiple queue-processing triggers fire close together. #23181, Commit
• 🛑 Cancellation event delivery reliability. Cancelled chat processing now safely emits task-cancel and error events only when an event emitter is available, while provider HTTP errors now also route through task-cancel handling so chats recover from blocked-loading states more reliably. #23663, Commit, Commit
• 🔑 OIDC key-rotation recovery. OIDC login now retries token authorization with refreshed provider signing keys after a bad-signature failure, so logins recover automatically after identity-provider key rotation without requiring a service restart. #23582, Commit
• 🌍 Non-ASCII tag filtering. Prompt and model tag filters now handle non-Latin tags more reliably across SQLite and PostgreSQL, so tags like Cyrillic values return the expected items in Workspace lists. #23381, #23427, Commit
• 🏷️ Prompt tag query accuracy. Prompt tag filtering now uses JSON-element-aware queries so tag-based lookups return the correct prompts. Commit, #23386
• 🗃️ SQLite async pool compatibility. SQLite async database setup no longer forces an explicit queue pool class, avoiding pool configuration conflicts in SQLite deployments. Commit
• 🧠 Knowledge embedding deadlock prevention. Knowledge file processing now runs blocking vector-save work in a worker thread while keeping async status updates reliable, preventing file processing from stalling during long embedding operations. Commit, Commit
• 🤖 Automation worker async DB handling. Automation claiming and run recording now use async database sessions consistently, improving worker stability for scheduled automations. Commit
• 🕒 Automation timezone scheduling. Scheduled automations now calculate each user’s next run time using that user’s saved timezone, preventing run drift caused by server-time fallback. Commit
• 🔎 Notes search matching. Notes search now handles multi-word and hyphenated queries more reliably, so relevant notes and snippets are easier to find from partial phrase searches. Commit
• 📐 Display math rendering. Chat markdown now correctly recognizes and renders "$$...$$" expressions as display math, improving reliability for multiline and escaped KaTeX content while keeping malformed delimiters from disrupting message rendering. #23526, Commit
• 🚫 LDAP empty-password rejection. LDAP login now rejects empty or whitespace-only passwords before bind attempts, preventing unauthenticated simple-bind behavior from granting access on permissive LDAP server configurations. #23633
• 🌐 IPv6 SSRF address blocking. URL validation now uses standard IP address checks for both IPv4 and IPv6, preventing private, loopback, link-local, reserved, and mapped-address SSRF bypasses through IPv6 hostname resolution. #23453
• 🔒 API key endpoint restriction bypass. API key endpoint restrictions are now enforced regardless of whether the key is sent through Authorization headers, cookies, or "x-api-key", preventing bypass through alternate key transport paths. #23637
• 🔐 Channel sharing permission enforcement. Channel creation and updates now enforce allowed access grant rules for public sharing, preventing unauthorized wildcard sharing on group channels. #23638
• 🛑 Socket role invalidation. Socket sessions now disconnect automatically when a user is demoted or deleted, preventing stale admin privileges from persisting until reconnect. #23642
• 🛂 Tool server access checks. Tool listing now correctly awaits server access checks, preventing users from seeing server-backed tools they do not have permission to use. Commit
• 🛑 Task endpoint access control. Global task listing and direct task stop endpoints are now restricted to administrators, while regular users can stop only their own chat tasks through a scoped chat endpoint. #23454
• 🧱 Redis cache key isolation. Tool server and terminal server cache entries now include the Redis key prefix, preventing multiple Open WebUI instances that share one Redis database from overwriting each other’s cached connection data. #23649
• 🧠 Client session leak prevention. Outbound provider requests now use a shared session pool with safer response cleanup and shutdown handling, preventing aiohttp session buildup and reducing memory growth during heavy concurrent API traffic. #23540, Commit
• 🧩 Tool enum value handling. Tool schema generation now safely handles enum values as strings, preventing failures when OpenAPI parameters include non-string enum entries. #23597, Commit
• 🧷 Responses model access control. The OpenAI-compatible Responses endpoint now enforces per-model permissions, preventing non-admin users from accessing models they are not allowed to use. #23481
• 🛡️ Collection process endpoint permissions. Collection processing endpoints now enforce collection ownership checks for web and text processing requests. Commit, #23634
• 📚 Knowledge query access enforcement. Knowledge-base collection queries now block unauthorized enumeration and require read access before returning results. Commit, #23635, #23452
• 🔍 RAG collection query permissions. Vector search collection queries now enforce access checks before retrieval results are returned. Commit, #23627
• 🔗 Chained base model access checks. Chained base model execution now enforces per-model access rules to prevent unauthorized model usage. Commit, Commit, #23647
• ✍️ Collaborative document write checks. Collaborative document updates now require proper write permission before changes are accepted. Commit, Commit, #23624
• 📥 Model import ownership validation. Model import now enforces ownership and access grant checks to prevent unauthorized imports. Commit, #23628
• 🚫 Inactive member channel access. Deactivated group members can no longer read or write channel content through direct API calls, so channel permissions now match active membership status. #23623
• 🎛️ Ollama endpoint model permissions. Restricted models are now protected on Ollama show, generate, embed, and embeddings endpoints, preventing authenticated users from using private models without read access. #23631
• 🧭 Azure deployment path validation. Azure model names are now validated and safely encoded before request URL construction, preventing path traversal attempts from reaching unintended Azure endpoints. #23629
• 👥 Private channel member list access. Standard channel member lists now require proper read permission, preventing unauthorized users from enumerating members of private channels by direct API calls. #23625
• 🌀 Tool server schema recursion safety. Tool server OpenAPI conversion now handles circular request schema references safely, preventing conversion crashes and ensuring one bad tool server spec does not break the full tool server list. #23588, Commit
• 🧱 Safer file path handling. File upload, transcription cache, and model download paths now use safer path construction helpers to reduce path parsing risks and improve cross-platform path safety. Commit
• 🧾 Prompt save error feedback. Saving prompt edits now shows a clear error toast if the save fails, so failed updates are visible instead of silently failing in the editor flow. Commit
• 🧾 Tool call JSON rendering. Tool call arguments and structured results now render as plain formatted JSON blocks instead of markdown code fences, preventing formatting quirks and making tool output easier to read consistently. Commit
• 👥 First-user admin race protection. Concurrent first-time LDAP or OAuth registrations can no longer create multiple admin accounts, so only the true first account is promoted during initial setup. #23626
• 🔒 SCIM token checks. SCIM authentication now compares tokens in a safer way, helping prevent timing-based token guessing attacks. #23577
• 🔒 Safer file access checks. HTML file previews now treat missing or non-admin owners as inaccessible, preventing accidental access to files that should not be shown. Commit
• 🖼️ ComfyUI request hangs. Concurrent image generation and editing requests to ComfyUI now complete reliably instead of getting stuck when the same user starts multiple requests at once. #23592, #23591
• 🧭 Permission-aware built-in tools. Built-in tools now consistently respect user feature permissions for memories, web search, image generation, code interpreter, notes, channels, and automations, preventing tools from being exposed to users without access. Commit
• 🛑 Interrupted MCP cleanup stability. Interrupted MCP tool calls no longer leave runaway cleanup behavior that can drive container CPU usage to 100%, keeping instances stable after cancellations or dropped connections. #23143
• 🚪 OAuth redirect URI reliability. OAuth login redirects now use provider client metadata more consistently, preventing incorrect HTTP callback URLs behind reverse proxies and improving sign-in reliability for providers such as Feishu. #23203, #23128
• 🌐 OAuth redirect handling. OAuth provider token exchange now follows redirects automatically, improving sign-in reliability with identity providers that redirect token endpoint requests. #23409, Commit
• ☁️ OneDrive picker redirect handling. OneDrive file picker authentication now uses the current app origin as the redirect URI, improving sign-in reliability when launching the picker from deployed environments. #23450, Commit
• 🍪 OAuth session cookie persistence. OIDC sign-in now correctly sets the "oauth_session_id" cookie, so "system_oauth" connections can forward user OAuth tokens to upstream providers as expected. #23251, #23250
• 🔑 OAuth session cookie handling. OAuth callback processing no longer fails on undefined cookie expiry data, so OAuth session cookies are stored correctly after sign-in. #23207, #23197
• 🔏 Ollama SSL handling. Ollama model management and file uploads now respect the configured SSL verification setting, so self-signed certificates work when SSL verification is disabled. #23503, Commit
• 🛡️ OAuth avatar URL validation. OAuth sign-in now validates profile picture URLs before fetching them, preventing invalid image links from causing login-time errors. #23356
• 🔑 User invite token expiry. New user invite logins now respect the configured "JWT_EXPIRES_IN" setting, so signup tokens expire as expected instead of using the default lifetime. #23576
• 🚪 Channel access checks. Channel actions now verify the current user when checking access, improving permission enforcement across channel views and message actions. Commit
• 📣 Channel message lookups. Channel message details and pinning now work more reliably when the sender account is missing, avoiding failures in those views. Commit
• 📌 Pinned webhook message handling. Viewing pinned webhook messages now works reliably even when webhook profile data is missing, preventing server errors and frontend crashes in channel pinned message dialogs. #23414
• 🛡️ Note edit permission enforcement. Note saving now requires write access instead of read access, preventing unauthorized users from modifying notes while preserving expected collaboration permissions. Commit
• 🗂️ Archived chats menu visibility. The 'Archived Chats' option in the user menu is now shown reliably for all users, so non-admin accounts can consistently access archived conversations. Commit
• 💾 Error message persistence. LLM errors that occur during streaming are now saved to the database even if the connection drops, so users can see what went wrong when they reconnect. #23231
• 🚫 Missing message completion guard. Chat completion finalization now skips invalid requests without a message identifier, preventing unnecessary error toasts caused by rare frontend concurrency timing. #23184
• 🧠 Active message completion accuracy. Switching chats or refreshing during generation no longer marks the currently streaming assistant message as finished too early, so thinking blocks and action buttons appear at the correct time. #23171
• 📞 Call overlay visibility. Incoming call events now open the call overlay and controls reliably, preventing cases where the call interface briefly appeared and then disappeared. Commit
• 💬 Prompt submission handling. Chat messages now preserve attached files more reliably when prompts are sent, including queued messages and shared prompt actions. Commit
• 🧾 Prompt variable form saving. Prompt variable forms now save reliably without runtime errors or an unresponsive save action, so input values and placeholders work correctly when applying prompt templates with variables. #23225, #23480
• 🛟 Task model fallback safety. Task routing now handles missing default model entries safely, preventing task execution failures when the previously selected model is no longer available. #23169
• 📊 Usage statistic preservation. Follow-up generation no longer overwrites existing token usage fields, so stored usage statistics remain accurate for the main response. #23152
• 📝 Writing block parsing reliability. ":::writing" blocks now parse more reliably when headers or extra inline text are present, preventing malformed rendering and duplicate output artifacts. #23174
• 🧾 Code block line break reliability. Blank lines in submitted code blocks are now preserved more reliably instead of being collapsed. Commit, #20302, #23451
• ✂️ Citation spacing cleanup. When citations are disabled for a model, citation markers and their leftover spacing are now removed together so punctuation and copied text remain cleanly formatted. #23141
• 🧰 Pipe tool access. Pipe functions now receive built-in and MCP tools in tools, so tools like Web Search and code execution are available when enabled. #23365
• 📚 Batch file processing database handling. Batch knowledge file processing now consistently uses the active database session, preventing failures caused by missing database context during file ownership checks and update writes. #23137
• ⚙️ Default model parameter loading. The "DEFAULT_MODEL_PARAMS" environment variable is now parsed and applied correctly, so default generation settings are honored reliably without being ignored at startup. #23223
• 🔧 Web search settings save reliability. Saving web search configuration now works without server errors, so administrators can update "WEB_FETCH_MAX_CONTENT_LENGTH" and related retrieval settings successfully from the admin interface. Commit, #23127
• 🔍 Web search result count. The built-in search_web tool now respects the admin-configured "Search Result Count" setting instead of always returning 5 results when using Native Function Calling mode. #23488, #23485
• 🖼️ Open Terminal file response handling. Open Terminal tool responses now preserve binary content types in user-side connections, so image and non-text file reads work consistently instead of being forced into plain text. #23125
• 🖥️ Terminal label casing. Terminal names in the chat input now display exactly as stored instead of being automatically capitalized, so domain-style server names appear correctly. #23518
• 🖼️ Gravatar profile photo saving. Gravatar profile images can now be saved successfully from account settings, with clearer validation and error handling instead of failing with generic object errors. #23156
• 🪟 Details expansion preference. Tool call detail groups now honor the 'Always Expand Details' chat setting, so they open expanded by default when that preference is enabled. #23262, #23255
• 🖱️ Rapid sidebar action protection. Archive and delete actions in the chat sidebar now ignore repeated clicks while a request is in progress, preventing duplicate requests and stacked error toasts. #23172
• 📲 Mobile model selector positioning. The mobile model selector dropdown now applies a constrained viewport width and left offset, preventing overflow and making model selection easier on small screens. #23310
• 🔽 Task list toggle icons. The task list collapse button now shows the correct arrow direction, making task sections easier to expand and collapse at a glance. Commit, #23354
• ➕ Attachment menu auto-close. The chat attachment menu now closes immediately after selecting upload actions like file upload, camera capture, web attach, Google Drive, or OneDrive, preventing the menu from lingering on screen. Commit, #23320
• 🧹 Per-chat draft clearing. Sent message drafts are now cleared using the active chat key, so sent text no longer reappears in the input after a refresh. Commit, #23296
• ✉️ Context-aware input action button. The input now shows the send action when text or files are present during generation, while keeping stop controls for truly empty input states to avoid action confusion. Commit, #23306
• 📉 Pyodide prompt cache stability. Pyodide code interpreter context is now appended to the system prompt instead of user messages, preserving stable prefix caching across turns and reducing repeated token costs in long native tool-calling chats. #23269
• 🧪 Temp chat outlet filtering. Outlet filters now process temporary chats more reliably, preserving assistant output and usage data so local chat responses stay consistent when filter pipelines are enabled. Commit

Changed

• ⚠️ Database Migrations: This release includes database schema changes; we strongly recommend backing up your database and all associated data before upgrading in production environments. If you are running a multi-worker, multi-server, or load-balanced deployment, all instances must be updated simultaneously, rolling updates are not supported and will cause application failures due to schema incompatibility.
• 🧨 Plugin async migration required. Custom plugins for Tools, Functions, and Pipelines may require migration to the new async backend signatures after upgrading, so plugin maintainers should update handlers and database call patterns for compatibility and follow the 0.9.0 plugin migration guide. Migration Guide
• 🔄 Automation terminal source. Automations now use the terminal configured on the selected model instead of a separate per-automation terminal picker, keeping terminal behavior consistent between chat and scheduled runs. Commit
• 🚧 OpenAI passthrough now opt-in. Direct OpenAI catch-all proxy requests are now disabled by default and require enabling "ENABLE_OPENAI_API_PASSTHROUGH", so deployments relying on passthrough must explicitly turn it on after upgrading. #23640
• 🗄️ SQLite WAL default enabled. SQLite deployments now default to enabling write-ahead logging, improving concurrent read and write behavior without requiring manual configuration. Commit