OpenWebUI - Package Updates

Package Updates

[3.3.2]

• Update open-webui to 0.9.2
• Full Changelog
• PaddleOCR-vl document extraction. Administrators can now use PaddleOCR-vl as a content extraction engine for document processing, with configurable API URL and token settings in document retrieval configuration. #23945
• Firecrawl v2 API. Firecrawl web loading now uses the v2 API directly with proper retry logic, exponential backoff on rate limits, and configurable timeout handling, improving reliability for both cloud and self-hosted Firecrawl setups. #23934
• Custom API key header. Administrators can now configure a custom header name for API key authentication via the CUSTOM_API_KEY_HEADER environment variable, enabling compatibility with reverse proxies that use the Authorization header for their own authentication.
• Source overflow indicator. The Sources button now shows a +N badge when more than three sources are available, so hidden sources are clearly indicated in chat responses. #23918
• Async database driver migration. The async database backend now uses psycopg (v3) instead of asyncpg, eliminating brittle SSL parameter translation and supporting native libpq connection strings including sslmode, options, and target_session_attrs without any stripping or conversion.
• Throttle request handling. Request handling no longer fails when user activity status updates are throttled with a non-zero interval. #23979
• Rich text extension conflicts. Rich text editing no longer triggers duplicate extension conflicts for lists and code blocks, improving editor stability. #24009
• Browser-native message virtualization. The custom JavaScript-based message culling system (spacers, height caching, scroll listeners) was replaced with CSS content-visibility: auto, letting the browser natively skip rendering of off-screen messages without destroying component trees. This eliminates scroll jump artifacts and mount/destroy thrashing while preserving memory efficiency in long conversations.
• psycopg v3 async driver. The async database driver has been migrated from asyncpg to psycopg (v3). This is a transparent change for most deployments, but custom connection strings with asyncpg-specific parameters may need adjustment.
• Brotli dependency update. Brotli has been updated to address CVE-2025-6176.

Package Updates

[3.3.3]

• Update open-webui to 0.9.4
• Full Changelog
• Database Migrations: This release includes database schema changes; we strongly recommend backing up your database and all associated data before upgrading in production environments. If you are running a multi-worker, multi-server, or load-balanced deployment, all instances must be updated simultaneously, rolling updates are not supported and will cause application failures due to schema incompatibility.
• Signout request method. The signout endpoint now requires POST instead of GET, so custom clients and integrations must update logout calls accordingly. #24420
• Chat scroll position on load. Opening a chat conversation now reliably scrolls to the bottom of the message history, fixing a regression caused by content-visibility: auto where estimated element sizes prevented the initial scroll from reaching the true bottom.
• Voice Mode mute control. Voice Mode now includes a dedicated mute toggle with an "M" shortcut and auto-unmute after assistant playback, so you can prevent accidental interruptions from background noise without leaving the call overlay. Commit, #23832
• Faster prompt list loading. Prompt and prompt-tag pages now load much faster for non-admin users, even with large prompt libraries, because accessible prompts are filtered efficiently in a single database query. #24288, #24258
• Brave LLM Context web search. Administrators can now choose Brave LLM Context as a web search provider to retrieve richer grounded passages with a configurable context token budget. Commit, #24120
• Background code execution reliability. Code execution no longer hangs indefinitely when you switch conversations or browser tabs during a run, and disconnected or inactive sessions now fail with a clear timeout error instead of endless processing. Commit, #24089
• Chat settings persistence. System prompts and other chat-level settings now persist correctly after creating a new chat and reloading, preventing prompt loss in affected conversations. Commit, #24193, #24270
• Safer image URL handling. Untrusted external image URLs are now blocked in profile and rich-text image rendering paths, preventing unintended client-side requests to attacker-controlled domains. #24420
• Windows PostgreSQL startup compatibility. Windows pip installs using PostgreSQL now start reliably with psycopg async by using a compatible event loop policy instead of the default Proactor loop. Commit, #24152

Package Updates

[3.3.4]

• Update open-webui to 0.9.5
• Full Changelog
• Redirect-based SSRF protection. All outbound HTTP requests now block 3xx redirects by default via a new AIOHTTP_CLIENT_ALLOW_REDIRECTS environment variable, preventing redirect-based SSRF where a public URL silently redirects to internal addresses (RFC 1918, loopback, cloud-metadata endpoints). Affected call sites include web fetch, image loading, OAuth discovery, tool server execution, and code interpreter login. #24491
• Iframe content security policy. Administrators can now configure a Content-Security-Policy for all srcdoc iframes (Artifacts, tool embeds, file previews, citation modals) via the IFRAME_CSP environment variable, restricting what LLM-generated or user-uploaded HTML can load and execute inside previews. Commit
• Granular markdown rendering controls. Users can now independently disable Markdown rendering for user messages and assistant responses from Interface settings, preventing unintended formatting when pasting text that contains Markdown-sensitive characters. Commit
• Channel streaming and tool support. Mentioning a model in a Channel now streams responses in real time and supports the full chat completion pipeline, including native and default function calling, built-in tools (web search, image generation), user tools, MCP tools, filters, and RAG knowledge injection the same capabilities available in standard chats.
• Notes create and open reliability. Creating new notes and opening existing notes no longer fails with a TypeError caused by is_pinned being passed to the SQLAlchemy model on create, and passed twice to NoteResponse on read. #24484, #24486
• Feedback user attribution spoofing. Submitting evaluation feedback can no longer forge the user_id field through mass-assignment, preventing authenticated users from attributing ratings to other users and corrupting Elo leaderboard rankings and admin feedback exports. #24508
• URL parser SSRF bypass. URL validation now rejects backslash, tab, CR, and LF characters that cause urllib and requests/aiohttp to disagree on the target host, closing a parser-confusion SSRF bypass. #24534
• Profile image MIME-type allowlist. Serving profile images from data URIs now enforces a strict MIME-type allowlist (PNG, JPEG, GIF, WEBP by default, configurable via PROFILE_IMAGE_ALLOWED_MIME_TYPES) and sets X-Content-Type-Options: nosniff, preventing stored-XSS through SVG or other executable content types. Commit
• Legacy chat history self-healing. Loading legacy conversations now automatically detects broken parent-link graphs in migrated message records, merges missing messages from the embedded JSON history, and backfills them to the normalized table so future loads use the fast path without data loss. Commit
• Removed unauthenticated retrieval status endpoint. The unauthenticated GET /api/v1/retrieval/ status endpoint has been removed as dead code retrieval configuration is already available through authenticated admin endpoints. #24497

Package Updates

[3.3.5]

• Update open-webui to 0.9.6
• Full Changelog
• Security Advisory: This release includes security and access-control fixes. We recommend updating production deployments at your earliest convenience. Not all security fixes in this version may be enumerated in the fixed section some may be withheld for a short time to give administrators time to upgrade. Advisories
• Database Migrations: This release includes database schema changes; we strongly recommend backing up your database and all associated data before upgrading in production environments. If you are running a multi-worker, multi-server, or load-balanced deployment, all instances must be updated simultaneously, rolling updates are not supported and will cause application failures due to schema incompatibility.
• "WEBUI_SECRET_KEY" is now a hard requirement even for unsupported deployments. Deployments that start the backend in an explicitly unsupported way (such as invoking uvicorn directly) without setting "WEBUI_SECRET_KEY" will now refuse to start instead of falling back to an empty key; the supported start methods (start.sh, start_windows.bat, and "open-webui serve") still set or auto-generate it automatically, so standard deployments are unaffected. Direct Uvicorn startup is not supported. #25218
• Official knowledge base sync tool. A new companion tool from Open WebUI, oikb, keeps a knowledge base in sync with a local directory, GitHub repo, S3 bucket, Confluence space, or any of more than 40 other sources, uploading only new and changed files using the incremental sync support added in this release. oikb
• Knowledge base folders. Files inside a knowledge base can now be organized into nested folders, with breadcrumb navigation that makes it much easier to manage and find content in large collections.
• Filesystem tool for knowledge bases. A new built-in tool, enabled via the "ENABLE_KB_EXEC" environment variable, lets AI models browse and search knowledge base contents using familiar filesystem commands such as 'ls', 'cat', 'grep', 'find', 'head', 'tail', and 'sed', including pipes between them.
• Tool server permission enforcement. The per-user permission for inline tool servers is now enforced on chat-completion requests, so users without that permission can no longer bypass the admin setting by supplying tool servers directly in their requests.
• Cross-user access to retrieval collections. Resolving the documents used for retrieval now verifies the caller's access to each referenced file and rejects client-supplied collection names, preventing a crafted request from pulling another user's files or vector collections into its context.
• Unscoped retrieval collections denied by default. Retrieval requests for collection names that don't correspond to a known file, memory, web-search, or knowledge base are now denied for non-admins by default, with a new "ENABLE_RETRIEVAL_UNSCOPED_COLLECTIONS" setting to restore the previous behavior if needed.
• Tool-call iteration cap renamed and raised. The environment variable that limits how many tool calls a single chat response may make is now "CHAT_RESPONSE_MAX_TOOL_CALL_ITERATIONS", with its default raised from 30 to 256 and a new "-1" value for unlimited; the previous "CHAT_RESPONSE_MAX_TOOL_CALL_RETRIES" name continues to work as a fallback, and chats that hit the cap now show a clear error in-chat instead of stopping silently. #24918