← Open WebUI Changelog
v0.6.27
Sep 9, 2025 (5mo ago)
View on GitHub →
[0.6.27] - 2025-09-09
Added
- 📁 Emoji folder icons were added, allowing users to personalize workspace organization with visual cues, including improved chevron display. Commit, Commit, Commit, Commit
- 📁 The 'Search Collection' input field now dynamically displays the total number of files within the knowledge base. Commit
- ☁️ A provider toggle in connection settings now allows users to manually specify Azure OpenAI deployments. Commit
- ⚡ Model list caching performance was optimized by fixing cache key generation to reduce redundant API calls. #17158
- 🎨 Azure OpenAI image generation is now supported, with configurations for IMAGES_OPENAI_API_VERSION via environment variable and admin UI. #17147, #16274, Docs:#679
- ⚡ Comprehensive N+1 query performance is optimized by reducing database queries from 1+N to 1+1 patterns across major listing endpoints. #17165, #17160, #17161, #17162, #17159, #17166
- ⚡ The PDF.js library is now dynamically loaded, significantly reducing initial page load size and improving responsiveness. #17222
- ⚡ The heic2any library is now dynamically loaded across various message input components, including channels, for faster page loads. #17225, #17229
- 📚 The knowledge API now supports a "delete_file" query parameter, allowing configurable file deletion behavior. Commit
- 📊 Llama.cpp timing statistics are now integrated into the usage field for comprehensive model performance metrics. Commit
- 🗄️ The PGVECTOR_CREATE_EXTENSION environment variable now allows control over automatic pgvector extension creation. Commit, Commit, Docs:#672
- 🔒 Comprehensive server-side OAuth token management was implemented, securely storing encrypted tokens in a new database table and introducing an automatic refresh mechanism, enabling seamless and secure forwarding of valid user-specific OAuth tokens to downstream services, including OpenAI-compatible endpoints and external tool servers via the new "system_oauth" authentication type, resolving long-standing issues such as large token size limitations, stale/expired tokens, and reliable token propagation, and enhancing overall security by minimizing client-side token exposure, configurable via "ENABLE_OAUTH_ID_TOKEN_COOKIE" and "OAUTH_SESSION_TOKEN_ENCRYPTION_KEY" environment variables. Docs:#683, #17210, #8957, #11029, #17178, #17183, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit
- 🔒 Conditional Permission Hardening for OpenShift Deployments: Added a build argument to enable optional permission hardening for OpenShift and container environments. Commit
- 👥 Regex pattern support is added for OAuth blocked groups, allowing more flexible group filtering rules. Commit
- 💬 Web search result display was enhanced to include titles and favicons, providing a clearer overview of search sources. Commit, Commit, Commit, #17197, #14179, Commit, Commit, Commit, Commit, Commit, Commit
- 💬 A new setting was added to control whether clicking a suggested prompt automatically sends the message or only inserts the text. #17192, Commit
- 🔄 Various improvements were implemented across the frontend and backend to enhance performance, stability, and security.
- 🌐 Translations for Portuguese (Brazil), Simplified Chinese, Catalan, and Spanish were enhanced and expanded.
Fixed
- 🔍 Hybrid search functionality now correctly handles lexical-semantic weight labels and avoids errors when BM25 weight is zero. #17049, #17046
- 🛑 Task stopping errors are prevented by gracefully handling multiple stop requests for the same task. #17195
- 🐍 Code execution package detection precision is improved in Pyodide to prevent unnecessary package inclusions. Commit
- 🛠️ Tool message format API compliance is fixed by ensuring content fields in tool call responses contain valid string values instead of null. Commit
- 📱 Mobile app config API authentication now supports Authorization header token verification with cookie fallback for iOS and Android requests. #17175
- 💾 Knowledge file save race conditions are prevented by serializing API calls and adding an "isSaving" guard. #17137, Commit
- 🔐 The SSO login button visibility is restored for OIDC PKCE authentication without a client secret. #17012
- 🔊 Text-to-Speech (TTS) API requests now use proper URL joining methods, ensuring reliable functionality regardless of trailing slashes in the base URL. #17061
- 🛡️ Admin account creation on Hugging Face Spaces now correctly detects the configured port, resolving issues with custom port deployments. #17064
- 📁 Unicode filename support is improved for external document loaders by properly URL-encoding filenames in HTTP headers. #17013, #17000
- 🔗 Web page and YouTube attachments are now correctly processed by setting their type as "text" and using collection names for accurate content retrieval. Commit
- ✍️ Message input composition event handling is fixed to properly manage text input for multilingual users using Input Method Editors (IME). #17085
- 💬 Follow-up tooltip duplication is removed, streamlining the user interface and preventing visual clutter. #17186
- 🎨 Chat button text display is corrected by preventing clipping of descending characters and removing unnecessary capitalization. #17191
- 🧠 RAG Loop/Error with Gemma 3.1 2B Instruct is fixed by correctly unwrapping unexpected single-item list responses from models. Commit, #17213
- 🖼️ HEIC conversion failures are resolved, improving robustness of image handling. #17225
- 📦 The slim Docker image size regression has been fixed by refining the build process to correctly exclude components when USE_SLIM=true. #16997, Commit, Commit
- 📁 Knowledge base update validation errors are resolved, ensuring seamless management via UI or API. #17244, Commit
- 🔐 Resolved a security issue where a global web search setting overrode model-specific restrictions, ensuring model-level settings are now correctly prioritized. #17151, Commit
- 🔐 OAuth redirect reliability is improved by robustly preserving the intended redirect path using session storage. #17235, Commit, #15575, Commit
- 🔐 Fixed a security vulnerability where knowledge base access within chat folders persisted after permissions were revoked. #17182, Commit
- 🔒 OIDC access denied errors are now displayed as user-friendly toast notifications instead of raw JSON. #17208, Commit
- 💬 Chat exception handling is enhanced to prevent system instability during message generation and ensure graceful error recovery. Commit
- 🔒 Static asset authentication is improved by adding crossorigin="use-credentials" attributes to all link elements, enabling proper cookie forwarding for proxy environments and authenticated requests to favicon, manifest, and stylesheet resources. #17280, Commit
Changed
- 🛠️ Renamed "Tools" to "External Tools" across the UI for clearer distinction between built-in and external functionalities. Commit
- 🛡️ Default permission validation for message regeneration and deletion actions is enhanced to provide more restrictive access controls, improving chat security and user data protection. #17285
Sponsors 🙌
🚀 We'd like to extend a heartfelt thank you to our amazing sponsors for their generous support (Note: We've excluded private sponsors from this list. If you'd like to get featured here, feel free to reach out to us!) #### Emerald- Tailscale <a href="https://tailscale.com/blog/self-host-a-local-ai-stack/?utm_source=OpenWebUI&utm_medium=paid-ad-placement&utm_campaign=OpenWebUI-Docs" target="_blank">
- Warp <a href="https://warp.dev/open-webui" target="_blank">