Open WebUI Files

[0.6.27] - 2025-09-09

Added

• 📁 Emoji folder icons were added, allowing users to personalize workspace organization with visual cues, including improved chevron display. Commit, Commit, Commit, Commit
• 📁 The 'Search Collection' input field now dynamically displays the total number of files within the knowledge base. Commit
• ☁️ A provider toggle in connection settings now allows users to manually specify Azure OpenAI deployments. Commit
• ⚡ Model list caching performance was optimized by fixing cache key generation to reduce redundant API calls. #17158
• 🎨 Azure OpenAI image generation is now supported, with configurations for IMAGES_OPENAI_API_VERSION via environment variable and admin UI. #17147, #16274, Docs:#679
• ⚡ Comprehensive N+1 query performance is optimized by reducing database queries from 1+N to 1+1 patterns across major listing endpoints. #17165, #17160, #17161, #17162, #17159, #17166
• ⚡ The PDF.js library is now dynamically loaded, significantly reducing initial page load size and improving responsiveness. #17222
• ⚡ The heic2any library is now dynamically loaded across various message input components, including channels, for faster page loads. #17225, #17229
• 📚 The knowledge API now supports a "delete_file" query parameter, allowing configurable file deletion behavior. Commit
• 📊 Llama.cpp timing statistics are now integrated into the usage field for comprehensive model performance metrics. Commit
• 🗄️ The PGVECTOR_CREATE_EXTENSION environment variable now allows control over automatic pgvector extension creation. Commit, Commit, Docs:#672
• 🔒 Comprehensive server-side OAuth token management was implemented, securely storing encrypted tokens in a new database table and introducing an automatic refresh mechanism, enabling seamless and secure forwarding of valid user-specific OAuth tokens to downstream services, including OpenAI-compatible endpoints and external tool servers via the new "system_oauth" authentication type, resolving long-standing issues such as large token size limitations, stale/expired tokens, and reliable token propagation, and enhancing overall security by minimizing client-side token exposure, configurable via "ENABLE_OAUTH_ID_TOKEN_COOKIE" and "OAUTH_SESSION_TOKEN_ENCRYPTION_KEY" environment variables. Docs:#683, #17210, #8957, #11029, #17178, #17183, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit
• 🔒 Conditional Permission Hardening for OpenShift Deployments: Added a build argument to enable optional permission hardening for OpenShift and container environments. Commit
• 👥 Regex pattern support is added for OAuth blocked groups, allowing more flexible group filtering rules. Commit
• 💬 Web search result display was enhanced to include titles and favicons, providing a clearer overview of search sources. Commit, Commit, Commit, #17197, #14179, Commit, Commit, Commit, Commit, Commit, Commit
• 💬 A new setting was added to control whether clicking a suggested prompt automatically sends the message or only inserts the text. #17192, Commit
• 🔄 Various improvements were implemented across the frontend and backend to enhance performance, stability, and security.
• 🌐 Translations for Portuguese (Brazil), Simplified Chinese, Catalan, and Spanish were enhanced and expanded.

Fixed

• 🔍 Hybrid search functionality now correctly handles lexical-semantic weight labels and avoids errors when BM25 weight is zero. #17049, #17046
• 🛑 Task stopping errors are prevented by gracefully handling multiple stop requests for the same task. #17195
• 🐍 Code execution package detection precision is improved in Pyodide to prevent unnecessary package inclusions. Commit
• 🛠️ Tool message format API compliance is fixed by ensuring content fields in tool call responses contain valid string values instead of null. Commit
• 📱 Mobile app config API authentication now supports Authorization header token verification with cookie fallback for iOS and Android requests. #17175
• 💾 Knowledge file save race conditions are prevented by serializing API calls and adding an "isSaving" guard. #17137, Commit
• 🔐 The SSO login button visibility is restored for OIDC PKCE authentication without a client secret. #17012
• 🔊 Text-to-Speech (TTS) API requests now use proper URL joining methods, ensuring reliable functionality regardless of trailing slashes in the base URL. #17061
• 🛡️ Admin account creation on Hugging Face Spaces now correctly detects the configured port, resolving issues with custom port deployments. #17064
• 📁 Unicode filename support is improved for external document loaders by properly URL-encoding filenames in HTTP headers. #17013, #17000
• 🔗 Web page and YouTube attachments are now correctly processed by setting their type as "text" and using collection names for accurate content retrieval. Commit
• ✍️ Message input composition event handling is fixed to properly manage text input for multilingual users using Input Method Editors (IME). #17085
• 💬 Follow-up tooltip duplication is removed, streamlining the user interface and preventing visual clutter. #17186
• 🎨 Chat button text display is corrected by preventing clipping of descending characters and removing unnecessary capitalization. #17191
• 🧠 RAG Loop/Error with Gemma 3.1 2B Instruct is fixed by correctly unwrapping unexpected single-item list responses from models. Commit, #17213
• 🖼️ HEIC conversion failures are resolved, improving robustness of image handling. #17225
• 📦 The slim Docker image size regression has been fixed by refining the build process to correctly exclude components when USE_SLIM=true. #16997, Commit, Commit
• 📁 Knowledge base update validation errors are resolved, ensuring seamless management via UI or API. #17244, Commit
• 🔐 Resolved a security issue where a global web search setting overrode model-specific restrictions, ensuring model-level settings are now correctly prioritized. #17151, Commit
• 🔐 OAuth redirect reliability is improved by robustly preserving the intended redirect path using session storage. #17235, Commit, #15575, Commit
• 🔐 Fixed a security vulnerability where knowledge base access within chat folders persisted after permissions were revoked. #17182, Commit
• 🔒 OIDC access denied errors are now displayed as user-friendly toast notifications instead of raw JSON. #17208, Commit
• 💬 Chat exception handling is enhanced to prevent system instability during message generation and ensure graceful error recovery. Commit
• 🔒 Static asset authentication is improved by adding crossorigin="use-credentials" attributes to all link elements, enabling proper cookie forwarding for proxy environments and authenticated requests to favicon, manifest, and stylesheet resources. #17280, Commit

Changed

• 🛠️ Renamed "Tools" to "External Tools" across the UI for clearer distinction between built-in and external functionalities. Commit
• 🛡️ Default permission validation for message regeneration and deletion actions is enhanced to provide more restrictive access controls, improving chat security and user data protection. #17285

[!TIP]
Looking for an Enterprise Plan? – Speak with Our Sales Team Today!

Get enhanced capabilities, including custom theming and branding, Service Level Agreement (SLA) support, and more!

👏 Massive thanks to our incredible contributors for their hard work and dedication to making this release possible: @athoik, @rgaricano, @Classic298, @Elettrotecnica, @thomascooper, @garylab, @Ithanil, @dependabot[bot], @acwoo97, @aleixdorca, @aREversez, @AdamJohnSwan, @hadadrjt, @Viruzaum, @joaoback, @ShirasawaSama

Sponsors 🙌

🚀 We'd like to extend a heartfelt thank you to our amazing sponsors for their generous support (Note: We've excluded private sponsors from this list. If you'd like to get featured here, feel free to reach out to us!)

Emerald

• Tailscale
• Warp

@amd, @agency-agency, @roosi-gmbh, @feddersen-group, @SRKConsulting, @mushmax, @rndmcnlly, @icanbwell, @Krambu-Travis, @loitragg, @GenieDev101, @CubicleGangster, @GitDatamind, @TOWaB, @TheZigGroup, @Classic298, @comet-ml, @FominVO, @catalyst-net-nz, @JrdnHans, @hkosm, @VeroFess, @joaoback