open-webui/open-webui v0.9.0 on GitHub

Caution

⚠️ Database Migrations: This release includes database schema changes; we strongly recommend backing up your database and all associated data before upgrading in production environments. If you are running a multi-worker, multi-server, or load-balanced deployment, all instances must be updated simultaneously, rolling updates are not supported and will cause application failures due to schema incompatibility.

Added

🖥️ Official Open WebUI Desktop App. Open WebUI is now available as a native desktop app for Mac, Windows, and Linux. No Docker, no terminal, no setup. Runs Open WebUI locally without any server setup, or connects to your existing remote Open WebUI instances. Switch between multiple servers instantly from the sidebar. Comes with a system-wide floating chat bar (Shift+Cmd+I on macOS, Shift+Ctrl+I on Windows/Linux), system-wide push-to-talk, offline support after first launch, automatic updates, and zero telemetry. #8262, Desktop
🤖 Scheduled chat automations. You can now schedule the AI to run tasks automatically on a recurring basis: daily digests, periodic reports, anything you'd otherwise need to remember to ask for. Create and manage automations from the Automations page or directly in chat, with full run history and manual trigger controls. #23303, Commit, Commit, Commit, Commit
🧰 Automation tools in chat. Built-in chat tools can now create, update, list, pause, and delete scheduled automations directly in conversation when automation access is enabled. Commit
⏱️ Automation scheduling limits. Administrators can now set "AUTOMATION_MAX_COUNT" and "AUTOMATION_MIN_INTERVAL" to limit how many automations each non-admin user can create and prevent overly frequent schedules that could overload the system. Commit
📋 Task management tool. AI models can now create, update, and track tasks within a chat conversation, breaking down complex requests into manageable steps with real-time status updates. Commit
🗓️ Calendar workspace and event management. Open WebUI now has a full Calendar workspace. Create and manage events, set up recurring schedules, get reminders via in-app toasts or browser notifications, and see your scheduled automations alongside your calendar. #23880
🔔 Calendar reminders and alerts. Calendar events now support reminder options from no alert up to one hour before start time, with upcoming alerts delivered through in-app toasts, browser notifications, and optional webhooks while avoiding duplicate sends. Commit
⚙️ Scheduler reminder configuration. Administrators can now configure calendar reminder processing with "SCHEDULER_POLL_INTERVAL" and "CALENDAR_ALERT_LOOKAHEAD_MINUTES", while existing "AUTOMATION_POLL_INTERVAL" setups continue to work as a legacy fallback. Commit
☁️ Azure responses support. Azure OpenAI connections now support the newer "/openai/v1" format, enabling chat, responses, and proxy calls to work correctly with that endpoint style. #23484
🤖 Ollama responses support. The Ollama proxy now supports the Responses API, letting clients use "/v1/responses" directly with Ollama-hosted models through Open WebUI. #23483
🧩 Responses tool output rendering. Built-in tool outputs in Responses API flows now render more consistently so downstream chat output is easier to interpret. Commit, #23482
🔎 Responses citation visibility. Responses API flows now emit citation sources more consistently, making linked references easier to preserve and display in chat output. Commit, #23774
📎 Attach previously uploaded files. The chat input menu now includes a Files tab for browsing and attaching previously uploaded files, eliminating the need to re-upload files you have already shared. Commit
🧷 Default model terminal selection. Workspace model editors can now preselect an Open Terminal connection, so new chats automatically start with the model’s configured terminal ready to use. Commit, #23605
🎙️ Mistral TTS support. Mistral can now be used as a text-to-speech provider, with admin settings for the API key, base URL, voices, and model selection. Commit
🎧 STT preprocessing bypass option. Administrators can now enable "AUDIO_STT_SKIP_PREPROCESSING" to send audio files directly to the speech-to-text backend, reducing memory and CPU consumption during large uploads for better transcription performance and stability on constrained deployments. #23661
🗑️ Admin model deletion. Administrators can now delete Ollama models directly from the model selector menu, making it easier to clean up unused or unwanted models. Commit
🔌 Backend outlet filters for local and persisted chats. Pipeline and function outlet filters now run reliably in backend completion flows for persisted chats and temporary local chats. #3237, Commit
🎨 Emoji shortcode support. Typing a colon in the chat input now opens an emoji suggestion menu, making it easier to insert emojis using shortcodes like 👋. Commit
📌 Recently used emojis. The emoji picker now shows your most recently used emojis at the top, making it faster to find emojis you use often. Commit
👆 Swipe to reply on mobile. Swiping right on a message now triggers a reply, making it easier to respond on touch devices with a natural gesture. Commit
📱 Screen-awake voice recording. Voice recording now keeps the screen awake during active dictation and safely re-acquires wake lock after visibility changes, helping prevent long transcriptions from being cut off on mobile devices. #23145
🔔 Unread chat indicators. Sidebar chats now show unread status and are marked as read when opened, making it easier to spot conversations with new activity. Commit
🔌 WebSocket reconnect status feedback. Open WebUI now warns when the real-time connection drops and confirms when it reconnects, while avoiding a reconnect message on the initial page load. Commit
📍 Pinned notes in sidebar. Notes can now be pinned to the sidebar for quick access, and you can also create a new note directly from the pinned notes section. Commit, Commit
🗂️ Model selector focus. The model selector now resets its search only when it opens, making the popup feel more predictable while still focusing the search field automatically. Commit
🗂️ Model selector layout. The model selector now behaves more predictably as a custom popup, and the completions playground uses a simpler model picker for easier selection. Commit
🎚️ Active filter valve shortcut. Active filter badges now expose valve configuration directly in the chat input area, so filter tuning is faster during conversations. Commit, #23811, #23813
🎨 Theme updates. Other windows can now update the app theme directly, keeping the interface in sync when theme changes are triggered externally. Commit
🚀 Async performance and responsiveness improvements. The core backend database and request paths now run asynchronously across the application, massively improving responsiveness and performance under concurrent load and reducing request blocking during heavy activity. Commit, Commit
⚡ Drawer performance and memory optimization. Drawer interactions now stay smoother over long sessions by removing stale keyboard listeners on teardown, which reduces memory growth and avoids accumulated event handling overhead. #23724
🚀 Chat history memory culling. Long conversations now stay responsive no matter how many messages they contain. Off-screen messages are unloaded automatically and reloaded as you scroll, keeping memory usage low and the UI smooth on both desktop and mobile. #23067, Commit, Commit
🧵 Async file and knowledge processing performance. File processing, knowledge reindexing, and channel message helper paths now consistently await async operations, preventing skipped processing steps and improving reliability and performance of indexing and tool responses. Commit
🚀 Persistent chat payload efficiency. Persisted chats now use server-side history loading instead of repeatedly resending full message payloads, improving multimodal performance and reducing stale-history overwrite risk across devices. #19064, Commit, Commit
🧵 Non-blocking file storage operations. Uploading, reading, transcribing, and deleting files now offloads storage I/O to background threads, keeping the application responsive during file-heavy workflows. Commit
🏎️ Streaming response performance. Streaming responses now process each output line in a single step instead of two separate yields, reducing async overhead and improving responsiveness during long-running generations. #23266
🔎 Faster mention parsing. Chat text with HTML-like content, file paths, or tool output now parses mentions more efficiently, which helps keep typing and rendering responsive in messages that contain many '<' characters. #23551
🧪 Code block rendering performance. Code blocks now reuse a shared HTML unescape helper, reducing extra browser work when displaying encoded output in chat. #23553
🚀 Inline code rendering performance. Inline code tokens in streaming responses now fade in with a lightweight CSS animation, making chat output feel smoother while reducing interface overhead during rapid token updates. #23258
🎞️ Streaming text token animation performance. Streaming text tokens now use a lightweight CSS intro animation, making output feel smoother while reducing transition overhead and preventing tokens from fading out when generation completes. #23257
🎯 Template token scan optimization. Streaming responses now skip unnecessary token-replacement processing when no template markers are present, reducing per-update overhead and keeping chat output smoother during rapid generation. #23161
🔬 Chinese text processing guard performance. Streaming responses without Chinese characters now skip unnecessary Chinese-format processing checks, reducing per-update overhead and keeping output smoother during rapid generation. #23162
🧠 HTML entity decode performance. Streaming text decoding now avoids repeated document parsing for HTML entity handling, reducing memory churn and improving responsiveness in token-heavy chat output. #23165
🏷️ Chat title update performance. Chat title updates now run in a single database operation instead of multiple round trips, improving responsiveness and reducing overhead when titles are generated or renamed. #23214
📂 Faster chat list queries performance. Chat and folder lists now load more efficiently by fetching only the fields needed for sidebar views, improving responsiveness when browsing large conversation histories. Commit
📈 Sidebar memory optimization. Sidebar chat items now use shared drag-preview resources and safer listener cleanup, reducing memory growth and keeping large chat lists more responsive during long sessions. #23209
🧠 Image viewer memory optimization. Viewing images and SVGs now uses significantly less memory and performs faster, keeping the application snappy and responsive even when browsing through many media files during extended sessions. #23236
📡 Optimized user activity tracking performance. User activity updates now use a single database query instead of multiple operations, improving response times across all authenticated requests. #23215
👥 Faster channel thread author loading. Channel thread responses now load author details in a single batch query, reducing database overhead and improving responsiveness in threads with many participants. #23795
💨 Optimized shared chat deletion. Deleting shared chats by user is now faster and more memory-efficient by only loading necessary data. #23216
🗃️ Faster chat tag loading. Chat tag lookups now load only the metadata needed instead of full chat payloads, improving responsiveness for chats with large histories. #23798
📎 Faster chat file deduplication. Attaching files to chat messages now checks duplicates more efficiently, reducing overhead when handling larger file lists. #23800
📈 Faster message diff checks. Chat message and status updates now compare content more efficiently during streaming, making active conversations feel smoother and more responsive. #23370
⚖️ Faster deep equality checks. Chat message updates, model selection, note editing, code block refreshes, and rich text state comparisons now use deep equality checks that reduce unnecessary UI work and improve responsiveness in active sessions. #23845
🏃 Faster knowledge access updates. Updating access grants for knowledge items now completes with less backend overhead, making permission changes apply more quickly. #23799
🧹 Mermaid render cleanup performance. Mermaid diagrams now always clean up temporary render elements after failures, reducing DOM buildup and keeping repeated rendering more stable over time. #23727
🖼️ Model image lookup efficiency. Model profile image requests now reuse the current request database session, reducing per-request overhead and improving response efficiency. #23796
👤 User endpoint query reduction. Session-based user settings and status endpoints now avoid redundant user re-fetches, reducing unnecessary database load while preserving behavior. #23794
🚦 Faster startup performance. Open WebUI now checks for Torch MPS support only on macOS, avoiding unnecessary startup work on other platforms. #23438
🛡️ Redis timeout consistency. Redis connections now honor the "REDIS_SOCKET_CONNECT_TIMEOUT" setting across standard and cluster setups, helping workers fail faster when Redis is unreachable. #23572
🧰 AIOHTTP pool controls. Administrators can now tune shared outbound HTTP connection behavior with "AIOHTTP_POOL_CONNECTIONS", "AIOHTTP_POOL_CONNECTIONS_PER_HOST", and "AIOHTTP_POOL_DNS_TTL" for better control under high concurrency. Commit
⏱️ MCP tool server timeout configuration. Administrators can now configure request timeouts for MCP tool server connections via the AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER environment variable. Commit
🎫 Static OAuth tool authentication. Tool server authentication now works reliably for both "oauth_2.1" and "oauth_2.1_static" connection types, so OAuth-backed tool access is correctly detected and forwarded during chat requests. Commit
🗄️ Configurable storage local cache. Administrators can now disable persistent local caching for cloud-backed uploads with the "STORAGE_LOCAL_CACHE" setting, reducing local disk usage by cleaning temporary upload copies after processing. Commit
🚪 Back-channel logout. OpenID Connect providers can now trigger centralized logout through the "ENABLE_OAUTH_BACKCHANNEL_LOGOUT" setting, helping administrators invalidate user sessions more reliably across connected devices. Commit
🛡️ Expanded security header controls. Administrators can now configure additional browser security headers, including "CONTENT_SECURITY_POLICY_REPORT_ONLY", "CROSS_ORIGIN_EMBEDDER_POLICY", "CROSS_ORIGIN_OPENER_POLICY", and "CROSS_ORIGIN_RESOURCE_POLICY", for stricter and more flexible deployment hardening. Commit
🖼️ Image MIME fallback option. Administrators can now enable "ENABLE_IMAGE_CONTENT_TYPE_EXTENSION_FALLBACK" so image-to-base64 conversion can still detect common image types by file extension when MIME metadata is missing, improving compatibility on minimal container images and older file records. Commit
🛡️ Public sharing permissions. Public channels, models, notes, prompts, and tools now respect allowed access grants more consistently, helping administrators control who can share content more safely. Commit
🆔 Skill lookup by ID. Skill instructions now include each skill’s ID, and the skill viewer now finds skills by ID in a case-insensitive way so attached skills are identified more reliably in chats. Commit
🏷️ Source context metadata. Retrieval source context now includes each source’s resource type and resource ID metadata, helping downstream model workflows preserve richer source identity during processing. Commit
🗂️ Feedback filtering. Administrators can now filter feedback history by model and export only the feedback they need. Commit
📤 CSV feedback export. Feedback history can now be exported as either JSON or CSV, making it easier to analyze feedback in spreadsheet tools. Commit
📝 Optional GET audit logging. Administrators can now enable auditing for GET requests with the "ENABLE_AUDIT_GET_REQUESTS" setting when they need fuller request visibility. Commit
🕒 Model access updates. Changing a model’s access grants now updates its timestamp, so recently modified models stay easier to find and sort correctly. Commit
💬 Queued message handling. Queued chat messages now send more reliably without advancing the queue too early, keeping follow-up prompts in the intended order. Commit
🔒 Rendered content safety. Placeholder descriptions and the pending account notice now render markdown with safer sanitization ordering, reducing the risk of unsafe HTML appearing in these views. Commit
🛡️ Safer placeholder rendering. Chat placeholder descriptions and the pending account notice now sanitize rendered markdown more consistently, reducing the risk of unsafe content being shown in these views. Commit
🧮 Usage analytics accuracy. Token usage is now normalized before chat messages are saved, so model and user usage reports stay accurate across OpenAI-compatible providers. Commit
🧩 Richer Anthropic tool results. Anthropic-compatible tool calls now preserve more tool result content types, including images and structured search or document outputs, so models can use fuller tool context instead of receiving only plain text fragments. #23188, Commit
🖼️ ComfyUI request reliability. ComfyUI image generation and editing now use shared async connections with consistent SSL handling, making image uploads and workflow runs more reliable under concurrent load. Commit
🎛️ Reranking batch size control. Administrators can now set "RAG_RERANKING_BATCH_SIZE" in Documents settings to control reranking workload size, helping balance retrieval speed and resource usage for their deployment. Commit
🔗 Shared chat access controls. You can now control who has access to a shared chat by granting access to specific users or groups, instead of sharing with anyone who has the link.
🔄 General improvements. Various improvements were implemented across the application to enhance performance, stability, and security.
🌐 Translation updates. Translations for Irish, Catalan, German, Simplified Chinese, Hindi, and Portuguese (Brazil) were enhanced and expanded.

Fixed

🛡️ Model description XSS protection. Model descriptions shown in chat placeholders are now sanitized before rendering, preventing malicious links from executing scripts and helping protect user sessions from takeover. #23621
🧠 Memory search filtering. Memory search now correctly filters by the query text instead of returning unrelated results. Commit, #23826
📊 Shared chat analytics consistency. Usage and message-count analytics now count assistant activity consistently across regular and shared chats, improving accuracy in model, user, chat, and time-based reporting views. Commit
🧭 Safer in-flight chat navigation. Sending a message no longer overwrites your active chat or causes duplicate background notifications when you switch conversations before a response finishes. Commit
🗣️ Pipeline error detail visibility. Pipeline inlet and outlet failures now preserve and surface provider error details more reliably in chat error messages, making troubleshooting failed requests much clearer. Commit
📨 Shared chat event routing. Message update and send events now target the chat owner’s event channel, so shared chats receive the correct real-time updates instead of routing events to the acting user. Commit
🔐 Consistent outbound SSL handling. External requests for tools, functions, terminals, webhooks, retrieval loaders, audio provider discovery, and OpenAI-compatible embedding calls now consistently apply the configured SSL client setting, improving reliability for deployments that require custom certificate or verification behavior. Commit, Commit
🖼️ Image SSL setting support. Image generation now respects the configured SSL session setting, preventing avoidable connection failures in strict certificate environments. Commit, #23777
🗂️ Folder ownership assignment hardening. Folder create and update inputs now reject unexpected extra fields, preventing clients from overriding protected values like ownership through mass-assignment payloads. #23648
🔐 Knowledge file deletion ownership checks. Collaborators with knowledge base write access can no longer permanently delete files they do not own, preventing unintended file removal across other linked chats and knowledge bases. Commit, #23636
🗑️ Knowledge deletion reliability. Deleting a knowledge base by ID now completes reliably without unexpected failures. Commit, #23776, #23814
🔐 OAuth 2.1 PKCE enforcement. OAuth 2.1 providers now default to S256 PKCE even when discovery metadata omits supported challenge methods, preventing login failures with providers that require PKCE by default. #23667, Commit
🔐 Static OAuth scope handling. Static OAuth credential flows now prioritize administrator-defined scopes and handle OAuth 2.1 static flow behavior more reliably. Commit, #23668, #23696, #23783
🔐 Static OAuth tool registration reliability. Static OAuth tool server registration now resolves and uses saved admin credentials more reliably, preventing registration failures when valid client credentials are provided. #23670, Commit, Commit
⏳ OAuth token expiry fallback. OAuth sessions now always store a safe expiry value even when providers omit "expires_in" or "expires_at", so token refresh checks continue working and tool calls are less likely to fail later with unexpected authorization errors. #23669, Commit
🔑 Anthropic x-api-key model access. Anthropic-compatible clients can now authenticate with the "x-api-key" header across all relevant API routes, so model listing requests like GET "/api/v1/models" no longer fail with unauthorized errors. #23319, Commit
🔑 SSO password option visibility. Account settings now hide password change controls when password-change access is disabled, avoiding misleading password options for SSO-focused setups. #15292, Commit
🔑 Open Terminal MCP authentication. Open Terminal MCP tool calls now include the configured API key when calling internal routes, preventing unauthorized errors for commands like file reads and command execution. #106
🧯 Provider error freeze recovery. Task-based chat requests now surface provider HTTP errors through normal failure handling, so content-filter and other upstream 4xx responses no longer leave chats stuck in a perpetual loading state. #23663, Commit
🔄 Immediate outlet filter updates. Assistant messages modified by outlet filters now appear correctly as soon as streaming completes, without requiring a page refresh. #23829
🌊 Middleware cancellation reliability. Long-running requests now complete more reliably by preventing middleware-level cancellations from interrupting in-flight database and embedding work, reducing unexpected failures and noisy error logs when connections close early. #23709
🚦 Async vector search responsiveness. File processing, memory updates, and knowledge retrieval no longer block the server event loop during vector database operations, so other chats and requests stay responsive while indexing or search is running. #23706
🗒️ Notes chat llama.cpp compatibility. Notes AI chat no longer sends empty assistant prefill messages that can conflict with reasoning-enabled llama.cpp responses, preventing immediate 400 errors in Notes conversations. Commit, #23703
🧩 Ollama thinking field preservation. Messages modified by filters now keep the Ollama "thinking" field when sent to the model, so reasoning-aware workflows and custom filter-based passthrough setups work reliably. Commit, #22508
🧾 Reasoning content preservation. Assistant tool-call messages now retain reasoning content across turns, improving reliability for reasoning-heavy model workflows. Commit, #23175, #23742
🧭 Background task scoping for new chats. Chat title and auto-tag generation now run only for the first message of a new conversation and only once in multi-model responses, preventing duplicate or incorrectly triggered background tasks in follow-up flows. Commit
📚 Channel document context retention. Channel conversations now preserve and load the correct stored message history so model responses can use uploaded and retrieved document context more reliably. #23686, Commit, Commit
⏳ Interrupted response recovery. Assistant placeholder messages now start as incomplete and recover more safely after interrupted generations, preventing silent empty replies after refreshes or dropped requests. #23176, Commit, Commit
🧰 Large tool result rendering. Tool call details now display large result payloads reliably in chat instead of intermittently showing empty output for bigger tool responses. #18743, Commit
🧼 Null-byte document sanitization. PDF and other document ingests now sanitize null bytes and invalid surrogate characters before pgvector writes, preventing PostgreSQL upload failures and allowing affected files to index successfully. #22992, Commit
📝 Knowledge text editor stability. The Knowledge "Add Text Content" modal now uses a plain text editor, avoiding current rich text editor issues and keeping drafting behavior consistent with existing knowledge editing flows. Commit
🎤 STT SSL setting consistency. Speech and related outbound media requests now consistently use shared async HTTP sessions and honor the configured SSL verification setting, improving compatibility with self-signed deployments. #23672, Commit
🎙️ Mistral speech input format. Mistral speech-to-text requests now use the correct chat-completions audio input format for better compatibility. Commit, #23822
🖼️ Optional image size parameter. Image generation no longer sends the "size" field when no size is configured, improving compatibility with providers that reject unsupported size arguments. #23611, Commit
🔎 FireCrawl timeout reliability. FireCrawl web loading now uses direct scrape requests and improved timeout handling for single-URL fetches, reducing empty results and premature timeout failures with local FireCrawl setups. #23411, Commit
🖱️ Custom action icon drag prevention. Custom user-added action icons in chat responses are no longer accidentally draggable, so clicks and hover interactions behave consistently with built-in action icons. #23412
🖼️ Image URL conversion reliability. Sending image URLs to AI models no longer fails with "cannot pickle 'coroutine' object" errors, so image inputs now convert to base64 reliably during request processing. #23685
📂 Channel input menu dismissal. In Workspace Channels, the message input dropdown now closes immediately after selecting "Upload Files" or "Capture", matching normal chat input behavior and preventing the menu from staying open unnecessarily. #23684
📋 Clipboard copy scroll stability. Copying content with the fallback clipboard method no longer triggers unwanted page scrolling during focus, keeping your current reading position stable. Commit
🖼️ Profile image URL validation. Profile saves now accept valid Open WebUI profile-image paths, trusted external HTTP(S) avatar URLs, and safe raster data-image formats while rejecting unsafe URL patterns that could be abused. #23389
👤 Partial user profile updates. User update API requests can now modify only the fields you provide, so administrators no longer need to resubmit unchanged name, email, and profile image values when changing a single setting like role. #23424, Commit
🚨 Provider SSE error visibility. Provider failures returned with streaming content types are now surfaced as proper API errors and logged clearly, so issues like context-window limits no longer fail silently during chat generation. #23379
🧵 Queued prompt race prevention. Chat request queues now prevent overlapping processing for the same chat, avoiding duplicate queue handling when multiple queue-processing triggers fire close together. #23181, Commit
🛑 Cancellation event delivery reliability. Cancelled chat processing now safely emits task-cancel and error events only when an event emitter is available, while provider HTTP errors now also route through task-cancel handling so chats recover from blocked-loading states more reliably. #23663, Commit, Commit
🔑 OIDC key-rotation recovery. OIDC login now retries token authorization with refreshed provider signing keys after a bad-signature failure, so logins recover automatically after identity-provider key rotation without requiring a service restart. #23582, Commit
🌍 Non-ASCII tag filtering. Prompt and model tag filters now handle non-Latin tags more reliably across SQLite and PostgreSQL, so tags like Cyrillic values return the expected items in Workspace lists. #23381, #23427, Commit
🏷️ Prompt tag query accuracy. Prompt tag filtering now uses JSON-element-aware queries so tag-based lookups return the correct prompts. Commit, #23386
🗃️ SQLite async pool compatibility. SQLite async database setup no longer forces an explicit queue pool class, avoiding pool configuration conflicts in SQLite deployments. Commit
🧠 Knowledge embedding deadlock prevention. Knowledge file processing now runs blocking vector-save work in a worker thread while keeping async status updates reliable, preventing file processing from stalling during long embedding operations. Commit, Commit
🤖 Automation worker async DB handling. Automation claiming and run recording now use async database sessions consistently, improving worker stability for scheduled automations. Commit
🕒 Automation timezone scheduling. Scheduled automations now calculate each user’s next run time using that user’s saved timezone, preventing run drift caused by server-time fallback. Commit
🔎 Notes search matching. Notes search now handles multi-word and hyphenated queries more reliably, so relevant notes and snippets are easier to find from partial phrase searches. Commit
📐 Display math rendering. Chat markdown now correctly recognizes and renders "$$...$$" expressions as display math, improving reliability for multiline and escaped KaTeX content while keeping malformed delimiters from disrupting message rendering. #23526, Commit
🚫 LDAP empty-password rejection. LDAP login now rejects empty or whitespace-only passwords before bind attempts, preventing unauthenticated simple-bind behavior from granting access on permissive LDAP server configurations. #23633
🌐 IPv6 SSRF address blocking. URL validation now uses standard IP address checks for both IPv4 and IPv6, preventing private, loopback, link-local, reserved, and mapped-address SSRF bypasses through IPv6 hostname resolution. #23453
🔒 API key endpoint restriction bypass. API key endpoint restrictions are now enforced regardless of whether the key is sent through Authorization headers, cookies, or "x-api-key", preventing bypass through alternate key transport paths. #23637
🔐 Channel sharing permission enforcement. Channel creation and updates now enforce allowed access grant rules for public sharing, preventing unauthorized wildcard sharing on group channels. #23638
🛑 Socket role invalidation. Socket sessions now disconnect automatically when a user is demoted or deleted, preventing stale admin privileges from persisting until reconnect. #23642
🛂 Tool server access checks. Tool listing now correctly awaits server access checks, preventing users from seeing server-backed tools they do not have permission to use. Commit
🛑 Task endpoint access control. Global task listing and direct task stop endpoints are now restricted to administrators, while regular users can stop only their own chat tasks through a scoped chat endpoint. #23454
🧱 Redis cache key isolation. Tool server and terminal server cache entries now include the Redis key prefix, preventing multiple Open WebUI instances that share one Redis database from overwriting each other’s cached connection data. #23649
🧠 Client session leak prevention. Outbound provider requests now use a shared session pool with safer response cleanup and shutdown handling, preventing aiohttp session buildup and reducing memory growth during heavy concurrent API traffic. #23540, Commit
🧩 Tool enum value handling. Tool schema generation now safely handles enum values as strings, preventing failures when OpenAPI parameters include non-string enum entries. #23597, Commit
🧷 Responses model access control. The OpenAI-compatible Responses endpoint now enforces per-model permissions, preventing non-admin users from accessing models they are not allowed to use. #23481
🛡️ Collection process endpoint permissions. Collection processing endpoints now enforce collection ownership checks for web and text processing requests. Commit, #23634
📚 Knowledge query access enforcement. Knowledge-base collection queries now block unauthorized enumeration and require read access before returning results. Commit, #23635, #23452
🔍 RAG collection query permissions. Vector search collection queries now enforce access checks before retrieval results are returned. Commit, #23627
🔗 Chained base model access checks. Chained base model execution now enforces per-model access rules to prevent unauthorized model usage. Commit, Commit, #23647
✍️ Collaborative document write checks. Collaborative document updates now require proper write permission before changes are accepted. Commit, Commit, #23624
📥 Model import ownership validation. Model import now enforces ownership and access grant checks to prevent unauthorized imports. Commit, #23628
🚫 Inactive member channel access. Deactivated group members can no longer read or write channel content through direct API calls, so channel permissions now match active membership status. #23623
🎛️ Ollama endpoint model permissions. Restricted models are now protected on Ollama show, generate, embed, and embeddings endpoints, preventing authenticated users from using private models without read access. #23631
🧭 Azure deployment path validation. Azure model names are now validated and safely encoded before request URL construction, preventing path traversal attempts from reaching unintended Azure endpoints. #23629
👥 Private channel member list access. Standard channel member lists now require proper read permission, preventing unauthorized users from enumerating members of private channels by direct API calls. #23625
🌀 Tool server schema recursion safety. Tool server OpenAPI conversion now handles circular request schema references safely, preventing conversion crashes and ensuring one bad tool server spec does not break the full tool server list. #23588, Commit
🧱 Safer file path handling. File upload, transcription cache, and model download paths now use safer path construction helpers to reduce path parsing risks and improve cross-platform path safety. Commit
🧾 Prompt save error feedback. Saving prompt edits now shows a clear error toast if the save fails, so failed updates are visible instead of silently failing in the editor flow. Commit
🧾 Tool call JSON rendering. Tool call arguments and structured results now render as plain formatted JSON blocks instead of markdown code fences, preventing formatting quirks and making tool output easier to read consistently. Commit
👥 First-user admin race protection. Concurrent first-time LDAP or OAuth registrations can no longer create multiple admin accounts, so only the true first account is promoted during initial setup. #23626
🔒 SCIM token checks. SCIM authentication now compares tokens in a safer way, helping prevent timing-based token guessing attacks. #23577
🔒 Safer file access checks. HTML file previews now treat missing or non-admin owners as inaccessible, preventing accidental access to files that should not be shown. Commit
🖼️ ComfyUI request hangs. Concurrent image generation and editing requests to ComfyUI now complete reliably instead of getting stuck when the same user starts multiple requests at once. #23592, #23591
🧭 Permission-aware built-in tools. Built-in tools now consistently respect user feature permissions for memories, web search, image generation, code interpreter, notes, channels, and automations, preventing tools from being exposed to users without access. Commit
🛑 Interrupted MCP cleanup stability. Interrupted MCP tool calls no longer leave runaway cleanup behavior that can drive container CPU usage to 100%, keeping instances stable after cancellations or dropped connections. #23143
🚪 OAuth redirect URI reliability. OAuth login redirects now use provider client metadata more consistently, preventing incorrect HTTP callback URLs behind reverse proxies and improving sign-in reliability for providers such as Feishu. #23203, #23128
🌐 OAuth redirect handling. OAuth provider token exchange now follows redirects automatically, improving sign-in reliability with identity providers that redirect token endpoint requests. #23409, Commit
☁️ OneDrive picker redirect handling. OneDrive file picker authentication now uses the current app origin as the redirect URI, improving sign-in reliability when launching the picker from deployed environments. #23450, Commit
🍪 OAuth session cookie persistence. OIDC sign-in now correctly sets the "oauth_session_id" cookie, so "system_oauth" connections can forward user OAuth tokens to upstream providers as expected. #23251, #23250
🔑 OAuth session cookie handling. OAuth callback processing no longer fails on undefined cookie expiry data, so OAuth session cookies are stored correctly after sign-in. #23207, #23197
🔏 Ollama SSL handling. Ollama model management and file uploads now respect the configured SSL verification setting, so self-signed certificates work when SSL verification is disabled. #23503, Commit
🛡️ OAuth avatar URL validation. OAuth sign-in now validates profile picture URLs before fetching them, preventing invalid image links from causing login-time errors. #23356
🔑 User invite token expiry. New user invite logins now respect the configured "JWT_EXPIRES_IN" setting, so signup tokens expire as expected instead of using the default lifetime. #23576
🚪 Channel access checks. Channel actions now verify the current user when checking access, improving permission enforcement across channel views and message actions. Commit
📣 Channel message lookups. Channel message details and pinning now work more reliably when the sender account is missing, avoiding failures in those views. Commit
📌 Pinned webhook message handling. Viewing pinned webhook messages now works reliably even when webhook profile data is missing, preventing server errors and frontend crashes in channel pinned message dialogs. #23414
🛡️ Note edit permission enforcement. Note saving now requires write access instead of read access, preventing unauthorized users from modifying notes while preserving expected collaboration permissions. Commit
🗂️ Archived chats menu visibility. The 'Archived Chats' option in the user menu is now shown reliably for all users, so non-admin accounts can consistently access archived conversations. Commit
💾 Error message persistence. LLM errors that occur during streaming are now saved to the database even if the connection drops, so users can see what went wrong when they reconnect. #23231
🚫 Missing message completion guard. Chat completion finalization now skips invalid requests without a message identifier, preventing unnecessary error toasts caused by rare frontend concurrency timing. #23184
🧠 Active message completion accuracy. Switching chats or refreshing during generation no longer marks the currently streaming assistant message as finished too early, so thinking blocks and action buttons appear at the correct time. #23171
📞 Call overlay visibility. Incoming call events now open the call overlay and controls reliably, preventing cases where the call interface briefly appeared and then disappeared. Commit
💬 Prompt submission handling. Chat messages now preserve attached files more reliably when prompts are sent, including queued messages and shared prompt actions. Commit
🧾 Prompt variable form saving. Prompt variable forms now save reliably without runtime errors or an unresponsive save action, so input values and placeholders work correctly when applying prompt templates with variables. #23225, #23480
🛟 Task model fallback safety. Task routing now handles missing default model entries safely, preventing task execution failures when the previously selected model is no longer available. #23169
📊 Usage statistic preservation. Follow-up generation no longer overwrites existing token usage fields, so stored usage statistics remain accurate for the main response. #23152
📝 Writing block parsing reliability. ":::writing" blocks now parse more reliably when headers or extra inline text are present, preventing malformed rendering and duplicate output artifacts. #23174
🧾 Code block line break reliability. Blank lines in submitted code blocks are now preserved more reliably instead of being collapsed. Commit, #20302, #23451
✂️ Citation spacing cleanup. When citations are disabled for a model, citation markers and their leftover spacing are now removed together so punctuation and copied text remain cleanly formatted. #23141
🧰 Pipe tool access. Pipe functions now receive built-in and MCP tools in tools, so tools like Web Search and code execution are available when enabled. #23365
📚 Batch file processing database handling. Batch knowledge file processing now consistently uses the active database session, preventing failures caused by missing database context during file ownership checks and update writes. #23137
⚙️ Default model parameter loading. The "DEFAULT_MODEL_PARAMS" environment variable is now parsed and applied correctly, so default generation settings are honored reliably without being ignored at startup. #23223
🔧 Web search settings save reliability. Saving web search configuration now works without server errors, so administrators can update "WEB_FETCH_MAX_CONTENT_LENGTH" and related retrieval settings successfully from the admin interface. Commit, #23127
🔍 Web search result count. The built-in search_web tool now respects the admin-configured "Search Result Count" setting instead of always returning 5 results when using Native Function Calling mode. #23488, #23485
🖼️ Open Terminal file response handling. Open Terminal tool responses now preserve binary content types in user-side connections, so image and non-text file reads work consistently instead of being forced into plain text. #23125
🖥️ Terminal label casing. Terminal names in the chat input now display exactly as stored instead of being automatically capitalized, so domain-style server names appear correctly. #23518
🖼️ Gravatar profile photo saving. Gravatar profile images can now be saved successfully from account settings, with clearer validation and error handling instead of failing with generic object errors. #23156
🪟 Details expansion preference. Tool call detail groups now honor the 'Always Expand Details' chat setting, so they open expanded by default when that preference is enabled. #23262, #23255
🖱️ Rapid sidebar action protection. Archive and delete actions in the chat sidebar now ignore repeated clicks while a request is in progress, preventing duplicate requests and stacked error toasts. #23172
📲 Mobile model selector positioning. The mobile model selector dropdown now applies a constrained viewport width and left offset, preventing overflow and making model selection easier on small screens. #23310
🔽 Task list toggle icons. The task list collapse button now shows the correct arrow direction, making task sections easier to expand and collapse at a glance. Commit, #23354
➕ Attachment menu auto-close. The chat attachment menu now closes immediately after selecting upload actions like file upload, camera capture, web attach, Google Drive, or OneDrive, preventing the menu from lingering on screen. Commit, #23320
🧹 Per-chat draft clearing. Sent message drafts are now cleared using the active chat key, so sent text no longer reappears in the input after a refresh. Commit, #23296
✉️ Context-aware input action button. The input now shows the send action when text or files are present during generation, while keeping stop controls for truly empty input states to avoid action confusion. Commit, #23306
📉 Pyodide prompt cache stability. Pyodide code interpreter context is now appended to the system prompt instead of user messages, preserving stable prefix caching across turns and reducing repeated token costs in long native tool-calling chats. #23269
🧪 Temp chat outlet filtering. Outlet filters now process temporary chats more reliably, preserving assistant output and usage data so local chat responses stay consistent when filter pipelines are enabled. Commit

Changed

⚠️ Database Migrations: This release includes database schema changes; we strongly recommend backing up your database and all associated data before upgrading in production environments. If you are running a multi-worker, multi-server, or load-balanced deployment, all instances must be updated simultaneously, rolling updates are not supported and will cause application failures due to schema incompatibility.
🧨 Plugin async migration required. Custom plugins for Tools, Functions, and Pipelines may require migration to the new async backend signatures after upgrading, so plugin maintainers should update handlers and database call patterns for compatibility and follow the 0.9.0 plugin migration guide. Migration Guide
🔄 Automation terminal source. Automations now use the terminal configured on the selected model instead of a separate per-automation terminal picker, keeping terminal behavior consistent between chat and scheduled runs. Commit
🚧 OpenAI passthrough now opt-in. Direct OpenAI catch-all proxy requests are now disabled by default and require enabling "ENABLE_OPENAI_API_PASSTHROUGH", so deployments relying on passthrough must explicitly turn it on after upgrading. #23640
🗄️ SQLite WAL default enabled. SQLite deployments now default to enabling write-ahead logging, improving concurrent read and write behavior without requiring manual configuration. Commit