chore(deps): update ghcr.io/open-webui/open-webui docker tag to v0.9.5

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
ghcr.io/open-webui/open-webui	minor	0.6.41 → v0.9.5

---

Release Notes

open-webui/open-webui (ghcr.io/open-webui/open-webui)

v0.9.5

Compare Source

Added

• 🛡️ Redirect-based SSRF protection. All outbound HTTP requests now block 3xx redirects by default via a new AIOHTTP_CLIENT_ALLOW_REDIRECTS environment variable, preventing redirect-based SSRF where a public URL silently redirects to internal addresses (RFC 1918, loopback, cloud-metadata endpoints). Affected call sites include web fetch, image loading, OAuth discovery, tool server execution, and code interpreter login. #​24491
• 🛡️ Iframe content security policy. Administrators can now configure a Content-Security-Policy for all srcdoc iframes (Artifacts, tool embeds, file previews, citation modals) via the IFRAME_CSP environment variable, restricting what LLM-generated or user-uploaded HTML can load and execute inside previews. Commit
• 🎛️ Granular markdown rendering controls. Users can now independently disable Markdown rendering for user messages and assistant responses from Interface settings, preventing unintended formatting when pasting text that contains Markdown-sensitive characters. Commit
• 🔧 Terminal proxy response headers. Administrators can now inject custom response headers into terminal proxy responses via the TERMINAL_PROXY_HEADERS environment variable (JSON object), enabling deployment-specific security headers like sandbox policies for proxied content. Commit
• 🔌 Channel streaming and tool support. Mentioning a model in a Channel now streams responses in real time and supports the full chat completion pipeline, including native and default function calling, built-in tools (web search, image generation), user tools, MCP tools, filters, and RAG knowledge injection — the same capabilities available in standard chats.

Fixed

• 📝 Notes create and open reliability. Creating new notes and opening existing notes no longer fails with a TypeError caused by is_pinned being passed to the SQLAlchemy model on create, and passed twice to NoteResponse on read. #​24484, #​24486
• 🔐 Skill public sharing permission enforcement. Creating or updating skills now filters access grants through the sharing.public_skills permission, preventing non-admin users from making skills publicly accessible without the required permission. #​24494
• 🔐 Calendar public sharing permission enforcement. Creating or updating calendars now filters access grants through a new sharing.public_calendars permission, preventing users from making calendars publicly readable or writable without explicit admin-granted sharing permission. #​24493
• 🔐 Feedback user attribution spoofing. Submitting evaluation feedback can no longer forge the user_id field through mass-assignment, preventing authenticated users from attributing ratings to other users and corrupting Elo leaderboard rankings and admin feedback exports. #​24508
• 🛡️ Image URL redirect-based SSRF. Chat messages containing image URLs no longer follow 3xx redirects to internal addresses during base64 conversion, closing the most reachable redirect-based SSRF variant that required no special permissions or feature flags. #​24524
• 🛡️ Collection write access on file processing. The process_file and process_files_batch retrieval endpoints now enforce collection write-access checks before embedding content, preventing authenticated users from injecting file content into another user's knowledge-base collection. #​24524
• 🔐 Tool source code update authorization. Updating a tool's Python source code now requires workspace.tools or workspace.tools_import permission, preventing users with only a write-access grant from overwriting executable tool code while still allowing metadata edits. #​24513
• 🔐 Channel message ownership enforcement. Updating or deleting messages in group and DM channels now requires message ownership, preventing channel members from tampering with or silently removing other members' messages. #​24506
• 🔐 Channel pin write permission. Pinning and unpinning messages on standard channels now requires write permission instead of read permission, preventing read-only users from modifying pinned content. #​24521
• 🛡️ Image generation URL validation. Generated image URLs are now validated through validate_url() before fetching, aligning the defense-in-depth posture with sibling image-loading paths. #​24518
• 🔐 Model params exposure for read-only users. The per-model API endpoint now strips the params dict (including system prompts) from responses to callers without write access, preventing read-only users from viewing admin-curated model configuration. #​24525
• 🛡️ URL parser SSRF bypass. URL validation now rejects backslash, tab, CR, and LF characters that cause urllib and requests/aiohttp to disagree on the target host, closing a parser-confusion SSRF bypass. #​24534
• 🛡️ Profile image MIME-type allowlist. Serving profile images from data URIs now enforces a strict MIME-type allowlist (PNG, JPEG, GIF, WEBP by default, configurable via PROFILE_IMAGE_ALLOWED_MIME_TYPES) and sets X-Content-Type-Options: nosniff, preventing stored-XSS through SVG or other executable content types. Commit
• 🔐 File ownership in folder and knowledge attachments. Attaching files to folders or knowledge bases now verifies per-file read access, and folder file lists in chat middleware are filtered to entries the caller can read, preventing unauthorized file content from being injected into RAG context. Commit
• 🔐 Shared chat access for owners and admins. Chat owners can now view and clone their own shared chats without requiring an explicit access grant, and administrators can manage shared chat access controls on any chat. Commit, Commit
• 🧵 Legacy chat history self-healing. Loading legacy conversations now automatically detects broken parent-link graphs in migrated message records, merges missing messages from the embedded JSON history, and backfills them to the normalized table so future loads use the fast path without data loss. Commit
• 🎛️ Filter selector reactivity. Model filter checkboxes now derive state reactively from the current filter list and selected IDs instead of capturing a one-time snapshot at mount, so checkboxes update correctly when model contexts or filter configurations change at runtime. Commit
• 🌐 Portuguese (Brazil) translation updates. Translations for newly added UI items were added along with a consistency pass across existing entries. #​24503

Changed

• 🧹 Removed unauthenticated retrieval status endpoint. The unauthenticated GET /api/v1/retrieval/ status endpoint has been removed as dead code — retrieval configuration is already available through authenticated admin endpoints. #​24497
• 📋 PR template issue requirement. Pull requests now require a linked Issue or Discussion reference, ensuring better traceability for all contributions. PRs without a linked issue or discussion may be closed without review.

v0.9.5

Compare Source

Added

• 🛡️ Redirect-based SSRF protection. All outbound HTTP requests now block 3xx redirects by default via a new AIOHTTP_CLIENT_ALLOW_REDIRECTS environment variable, preventing redirect-based SSRF where a public URL silently redirects to internal addresses (RFC 1918, loopback, cloud-metadata endpoints). Affected call sites include web fetch, image loading, OAuth discovery, tool server execution, and code interpreter login. #​24491
• 🛡️ Iframe content security policy. Administrators can now configure a Content-Security-Policy for all srcdoc iframes (Artifacts, tool embeds, file previews, citation modals) via the IFRAME_CSP environment variable, restricting what LLM-generated or user-uploaded HTML can load and execute inside previews. Commit
• 🎛️ Granular markdown rendering controls. Users can now independently disable Markdown rendering for user messages and assistant responses from Interface settings, preventing unintended formatting when pasting text that contains Markdown-sensitive characters. Commit
• 🔧 Terminal proxy response headers. Administrators can now inject custom response headers into terminal proxy responses via the TERMINAL_PROXY_HEADERS environment variable (JSON object), enabling deployment-specific security headers like sandbox policies for proxied content. Commit
• 🔌 Channel streaming and tool support. Mentioning a model in a Channel now streams responses in real time and supports the full chat completion pipeline, including native and default function calling, built-in tools (web search, image generation), user tools, MCP tools, filters, and RAG knowledge injection — the same capabilities available in standard chats.

Fixed

• 📝 Notes create and open reliability. Creating new notes and opening existing notes no longer fails with a TypeError caused by is_pinned being passed to the SQLAlchemy model on create, and passed twice to NoteResponse on read. #​24484, #​24486
• 🔐 Skill public sharing permission enforcement. Creating or updating skills now filters access grants through the sharing.public_skills permission, preventing non-admin users from making skills publicly accessible without the required permission. #​24494
• 🔐 Calendar public sharing permission enforcement. Creating or updating calendars now filters access grants through a new sharing.public_calendars permission, preventing users from making calendars publicly readable or writable without explicit admin-granted sharing permission. #​24493
• 🔐 Feedback user attribution spoofing. Submitting evaluation feedback can no longer forge the user_id field through mass-assignment, preventing authenticated users from attributing ratings to other users and corrupting Elo leaderboard rankings and admin feedback exports. #​24508
• 🛡️ Image URL redirect-based SSRF. Chat messages containing image URLs no longer follow 3xx redirects to internal addresses during base64 conversion, closing the most reachable redirect-based SSRF variant that required no special permissions or feature flags. #​24524
• 🛡️ Collection write access on file processing. The process_file and process_files_batch retrieval endpoints now enforce collection write-access checks before embedding content, preventing authenticated users from injecting file content into another user's knowledge-base collection. #​24524
• 🔐 Tool source code update authorization. Updating a tool's Python source code now requires workspace.tools or workspace.tools_import permission, preventing users with only a write-access grant from overwriting executable tool code while still allowing metadata edits. #​24513
• 🔐 Channel message ownership enforcement. Updating or deleting messages in group and DM channels now requires message ownership, preventing channel members from tampering with or silently removing other members' messages. #​24506
• 🔐 Channel pin write permission. Pinning and unpinning messages on standard channels now requires write permission instead of read permission, preventing read-only users from modifying pinned content. #​24521
• 🛡️ Image generation URL validation. Generated image URLs are now validated through validate_url() before fetching, aligning the defense-in-depth posture with sibling image-loading paths. #​24518
• 🔐 Model params exposure for read-only users. The per-model API endpoint now strips the params dict (including system prompts) from responses to callers without write access, preventing read-only users from viewing admin-curated model configuration. #​24525
• 🛡️ URL parser SSRF bypass. URL validation now rejects backslash, tab, CR, and LF characters that cause urllib and requests/aiohttp to disagree on the target host, closing a parser-confusion SSRF bypass. #​24534
• 🛡️ Profile image MIME-type allowlist. Serving profile images from data URIs now enforces a strict MIME-type allowlist (PNG, JPEG, GIF, WEBP by default, configurable via PROFILE_IMAGE_ALLOWED_MIME_TYPES) and sets X-Content-Type-Options: nosniff, preventing stored-XSS through SVG or other executable content types. Commit
• 🔐 File ownership in folder and knowledge attachments. Attaching files to folders or knowledge bases now verifies per-file read access, and folder file lists in chat middleware are filtered to entries the caller can read, preventing unauthorized file content from being injected into RAG context. Commit
• 🔐 Shared chat access for owners and admins. Chat owners can now view and clone their own shared chats without requiring an explicit access grant, and administrators can manage shared chat access controls on any chat. Commit, Commit
• 🧵 Legacy chat history self-healing. Loading legacy conversations now automatically detects broken parent-link graphs in migrated message records, merges missing messages from the embedded JSON history, and backfills them to the normalized table so future loads use the fast path without data loss. Commit
• 🎛️ Filter selector reactivity. Model filter checkboxes now derive state reactively from the current filter list and selected IDs instead of capturing a one-time snapshot at mount, so checkboxes update correctly when model contexts or filter configurations change at runtime. Commit
• 🌐 Portuguese (Brazil) translation updates. Translations for newly added UI items were added along with a consistency pass across existing entries. #​24503

Changed

• 🧹 Removed unauthenticated retrieval status endpoint. The unauthenticated GET /api/v1/retrieval/ status endpoint has been removed as dead code — retrieval configuration is already available through authenticated admin endpoints. #​24497
• 📋 PR template issue requirement. Pull requests now require a linked Issue or Discussion reference, ensuring better traceability for all contributions. PRs without a linked issue or discussion may be closed without review.

v0.9.4

Compare Source

Fixed

• 📜 Chat scroll position on load. Opening a chat conversation now reliably scrolls to the bottom of the message history, fixing a regression caused by content-visibility: auto where estimated element sizes prevented the initial scroll from reaching the true bottom.

v0.9.4

Compare Source

Fixed

• 📜 Chat scroll position on load. Opening a chat conversation now reliably scrolls to the bottom of the message history, fixing a regression caused by content-visibility: auto where estimated element sizes prevented the initial scroll from reaching the true bottom.

v0.9.3

Compare Source

Added

• 🔇 Voice Mode mute control. Voice Mode now includes a dedicated mute toggle with an "M" shortcut and auto-unmute after assistant playback, so you can prevent accidental interruptions from background noise without leaving the call overlay. Commit, #​23832
• 🚀 Faster prompt list loading. Prompt and prompt-tag pages now load much faster for non-admin users, even with large prompt libraries, because accessible prompts are filtered efficiently in a single database query. #​24288, #​24258
• ⚡ Faster chat history loading. Chat history maps now load from normalized message records when available, reducing overhead for large conversations while preserving fallback behavior for legacy chats. Commit, #​23159
• 🗑️ Delete from conversation menu. You can now delete the current conversation directly from the chat menu with a confirmation step, so cleanup is faster without searching through the full chat list. Commit, #​24329
• ⬆️ Scroll to Top shortcut. Long conversations now include a Scroll to Top action in the chat menu when you are away from the top, making it much faster to jump back to the beginning of a chat. Commit, #​24133
• 📅 Calendar creation flow. Users can now create calendars from a dedicated modal and a quick-add action in the calendar sidebar, making calendar setup faster from the calendar workspace. Commit, Commit
• 🧭 Unified model unload controls. Administrators can now unload running models from the model selector across supported providers, with loaded-state indicators shown for Ollama and llama.cpp models. Commit
• ⚡ Health check responsiveness. Health and readiness probes now avoid blocking database calls and skip sync session commit handling on probe paths, improving responsiveness and reducing false unready transitions during database pressure. #​24380, #​24384
• 🎛️ Playground controls panel. The Playground now includes a dedicated Controls toggle so you can adjust parameters like temperature and related settings per chat run without changing model-level defaults. Commit, #​24103
• 🎙️ STT file extension controls. Administrators can now configure which audio file extensions are accepted for speech-to-text uploads, helping enforce safer and more predictable upload policies. Commit
• 📷 Remembered call camera selection. Voice call overlay now remembers your last selected camera and restores it automatically when available, so you do not need to reselect it every time you start voice mode. Commit, #​24416
• 👥 User group prompt variable. System and template prompts now support the "{{USER_GROUPS}}" variable, which expands to the user’s group memberships so prompts can adapt to role- or access-based context automatically. Commit, #​24462
• 🔐 Public chat sharing permission control. Administrators can now control whether users are allowed to create publicly shareable chats through a dedicated permission setting. Commit
• 🔐 Profile image forwarding control. Administrators can now disable external profile image URL forwarding with the "ENABLE_PROFILE_IMAGE_URL_FORWARDING" setting to prevent browser metadata leaks to third-party servers. #​24420
• 🏷️ Dynamic header template variables. Administrators can now use chat, message, and user template variables in custom connection and tool server headers so each request can carry per-conversation context automatically. Commit, #​24164
• 🛂 MCP OAuth server URL setting. Static OAuth tool server setups can now define a separate OAuth server URL, making discovery and client registration work when authentication endpoints are hosted separately from the tool server URL. Commit, #​24164, #​24216
• ⚡ Faster memory query performance. Per-user memory lookups and deletions now run much faster at scale because the memory user filter is indexed for existing and new installations. Commit, #​23836
• 🚀 Smarter function dependency installs. Function dependencies are now skipped when they were already preinstalled and unchanged, reducing first-load delays and repeated package installation churn after startup. Commit, #​24166
• 🔎 Brave LLM Context web search. Administrators can now choose Brave LLM Context as a web search provider to retrieve richer grounded passages with a configurable context token budget. Commit, #​24120
• 🗂️ Open Terminal date sorting. Open Terminal now includes sort controls for name and date, with directory-first ordering and modified-time visibility to make file browsing faster. Commit, #​24425
• 🎤 Voice mode prompt toggle. Administrators can now explicitly enable or disable the Voice Mode custom prompt behavior from Interface settings, giving finer control over how voice replies are guided. Commit
• 🧮 LaTeX copy shortcut. You can now click rendered LaTeX expressions to copy the raw formula to your clipboard, making it easier to reuse equations outside chat. Commit, #​24244
• ✨ Smoother rich text editing. The message composer now defers formatting toolbar refresh work to the next animation frame, reducing typing jank while formatting controls stay accurate. Commit, #​24013
• 🖼️ Arena model profile images. Arena models can now reliably display configured profile images instead of falling back to the default icon. Commit, #​24412
• 🔄 Replaceable tool embed updates. Pipes and Tools can now overwrite previously emitted rich-UI embeds in-place by passing a replace flag on the embeds event, enabling live dashboards and progress panels that update without stacking duplicate entries.
• ✏️ Assistant response editing and continuation. You can now edit and restructure assistant output items — including reasoning blocks, tool calls, and text content — from a dedicated editor view, and continue generating from the edited state so the model receives full prior context.
• 🔄 General improvements. Various improvements were implemented across the application to enhance performance, stability, and security.
• 🌐 Translation updates. Translations for Chinese, Catalan, Filipino, and Korean were enhanced and expanded.

Fixed

• 🧵 Background code execution reliability. Code execution no longer hangs indefinitely when you switch conversations or browser tabs during a run, and disconnected or inactive sessions now fail with a clear timeout error instead of endless processing. Commit, #​24089
• 🎙️ Voice recording MIME fallback support. Voice recording now tries a broader set of browser-supported audio formats and resets halted audio playback cleanly, improving microphone capture reliability in browsers where recording previously failed to start. Commit, #​24162
• 🧠 Direct-connection task generation reliability. Title, tags, follow-up, emoji, query, and related task-generation endpoints now work correctly when chats use direct-connection models instead of failing with model-not-found errors. Commit, Commit, #​24092
• 🔧 Parameterized URL tool readiness. New chats now wait for model defaults to finish applying before auto-submit, preventing early requests that can miss configured external tools. Commit, #​24176
• 🚦 MCP cleanup response reliability. Successful native MCP tool calls no longer get replaced by a 500 "No response returned" error during cleanup, so valid chat responses are now returned consistently. #​24105
• 🧵 Active task state recovery. Chat input no longer stays blocked by unrelated background tasks after a response is already complete, and interrupted assistant replies are now marked done more reliably. Commit, #​23264
• 📌 Per-user note pinning behavior. Pinned notes are now tracked per user instead of with a shared note-level flag, so one person’s pin changes no longer affect everyone else. Commit
• 🧱 Custom header value coercion. Custom header values are now converted to text before requests are sent, preventing request failures when non-text values are configured. Commit, #​24164
• 🔗 HTTP share link copy fallback. Copy Link now works reliably on HTTP deployments by using a selection-based fallback when secure clipboard APIs are unavailable. Commit, #​24135
• 🧵 Regeneration loading lock recovery. Chats no longer get stuck in a permanent loading state after failed regenerations because invalid message-tree references are repaired before rendering. Commit, #​24424
• 📸 Complete chat image capture. Downloaded chat snapshots now include all messages more reliably through visibility overrides and layout timing improvements during capture. Commit, Commit, #​24088
• 🗓️ Calendar deletion lock handling. Calendar deletion now avoids SQLite write-lock contention by revoking calendar access grants in a separate transaction after calendar and event removal. Commit
• 🧩 Filter and internal tool coexistence. Internal tools now remain available when filters add provider-native tools, so filter-added tools no longer replace the built-in tool set during request processing. Commit, #​24237
• 🛠️ OpenAPI tool spec compatibility. OpenAPI tool integrations now handle null or non-operation path entries more safely and parse path-level parameters consistently, preventing crashes and improving tool execution reliability across imperfect OpenAPI specs. Commit, Commit, #​24376
• 🧰 OpenAPI tool schema parsing. OpenAPI tool imports now ignore non-method path item fields and correctly resolve nested composition schemas, preventing invalid tool parsing for compatible specs. Commit, #​23254
• 🌍 Web search proxy compatibility. DuckDuckGo search now respects configured proxy environments more reliably, and trust-env behavior defaults to enabled so proxied web loading does not fail unexpectedly. Commit, #​23810
• 🧾 Final markdown render flush. Streaming markdown now forces an immediate final parse when generation completes, preventing stale or partially rendered final output. Commit, #​24088
• 🛡️ Webhook avatar URL validation. Channel webhook profile image URLs are now validated before saving, preventing invalid or unsafe avatar URLs from being accepted. #​24370
• 📝 System prompt editor scroll stability. Editing large system prompts no longer jumps the page back to the top, so you can continue editing long model prompts without losing your place. Commit, #​23999
• 🔎 Knowledge content search matching. Knowledge file search now matches both file titles and file content, so relevant files are easier to find even when the keyword is not in the filename. Commit, #​24297
• ⚡ Faster prompt tag loading. Prompt tag filters now load much faster for non-admin users by fetching only accessible tags directly, avoiding per-prompt permission checks and unnecessary prompt data loading. #​24287, #​24258
• 🧾 Citation overflow badge readability. Citation overflow badges now keep multi-digit counts readable in a single compact bubble, preventing wrapped or cramped display when many sources are attached. Commit, #​24391
• 🌐 Yandex result parsing guard. Yandex web search no longer fails when some XML fields are missing in individual results, so valid search responses continue to return usable sources instead of dropping to no results. Commit, #​24243
• 🎧 Safer voice transcription uploads. Empty or failed voice conversions are now rejected with a clear error instead of continuing as malformed audio, reducing failed transcription attempts from corrupted or near-empty recordings. Commit
• 🎚️ Safer chunked STT processing. Chunked transcription now limits worker concurrency when no external STT engine is configured, reducing failed transcription behavior caused by overly parallel local processing. Commit
• 📈 Imported chat analytics coverage. Imported ChatGPT conversations now carry proper model and timestamp metadata and reliably write imported messages into analytics-backed storage, so imported chats are reflected correctly in Admin Analytics totals and model usage views. Commit, #​24263
• 📎 Knowledge collection persistence. Knowledge collections selected with the chat input selector now remain attached after reloads and chat switches, so attached context no longer disappears between sessions. Commit, #​24142
• 🧹 Embedding model name trimming. Embedding model names entered in Documents settings now automatically trim surrounding whitespace, preventing silent embedding failures caused by accidental trailing spaces. Commit, #​24090
• 🔊 PCM TTS playback compatibility. Text-to-speech audio returned as PCM is now converted to MP3 before delivery, so speech playback works correctly with providers that return raw PCM audio. Commit, #​24143
• 🪟 Windows PostgreSQL startup compatibility. Windows pip installs using PostgreSQL now start reliably with psycopg async by using a compatible event loop policy instead of the default Proactor loop. Commit, #​24152
• ⏱️ MCP OAuth timeout control. OAuth token exchanges for MCP tool server connections now respect the configurable client timeout setting, reducing callback failures with slower providers. Commit, #​24138
• 📄 PDF text search restoration. PDF previews now include a proper text layer so browser text selection and find-in-page search work again instead of rendering only image-like pages. Commit, #​24149
• 🔑 Android password autofill support. Password inputs now expose the expected field name metadata, improving password manager autofill reliability on Android login pages. Commit, #​24137
• 🎤 Non-blocking STT processing. Speech-to-text transcription no longer blocks the server event loop during both live transcription and uploaded audio file processing, so other users can continue using chats and live connections under concurrent load. #​24338, #​24379, #​24169
• 🌐 SearXNG language parameter handling. Web searches now send clean multi-language values without trailing separators, so SearXNG requests no longer fail when multiple languages are selected. Commit, #​24198
• 📂 File modal open-link behavior. Clicking a file name in the file details modal now opens the correct file content in a new tab for uploaded file items instead of failing to open. #​24125
• 📎 Chat attachment display recovery. Files attached by chat tools now appear reliably in assistant responses, including non-image file attachments that were previously hidden. Commit, #​24332
• 🧱 Channel embed rendering guard. Channel message embeds now appear only for model-generated messages and are suppressed in reply previews, preventing unintended embed expansion in regular user posts. Commit
• 🛡️ Safer image URL handling. Untrusted external image URLs are now blocked in profile and rich-text image rendering paths, preventing unintended client-side requests to attacker-controlled domains. #​24420
• 🛡️ Sanitized spreadsheet HTML previews. Spreadsheet previews now sanitize generated HTML before rendering, reducing the risk of unsafe content being executed when opening office files in chat and file modals. #​24468
• 🧰 Multi-worker tool update consistency. Updated tool code now refreshes correctly across workers without requiring a full service restart, so chats no longer run stale tool versions after edits. Commit, #​24400, #​24433
• 🧩 Default model metadata env parsing. The "DEFAULT_MODEL_METADATA" environment setting is now parsed and applied correctly, including when persistent config is disabled, so configured model capability defaults are no longer ignored at startup. Commit, #​24319
• 🔄 Config import and Redis consistency. Imported settings now remain effective after import because configuration values are immediately synchronized to Redis, preventing stale cached values from overriding imported permissions and settings. Commit, Commit, #​24346
• 🔔 LDAP signup webhook parity. New accounts created through LDAP now trigger the same signup webhook notifications as password and OAuth signups, so downstream provisioning and audit automations receive consistent events. Commit, #​24377
• 🦆 DDGS auto-backend compatibility. Web search now handles DDGS automatic backend selection correctly and safely falls back on empty or rate-limited responses, preventing search failures in newer DDGS versions. Commit, #​24188
• 🤖 Automation update tool reliability. Updating existing automations in chat now works correctly instead of failing with a missing method error. Commit, #​24405
• 📅 Calendar event permission checks. Calendar event update and delete actions now handle ownership and access checks more reliably, returning clean access-denied results when appropriate. Commit
• 🛡️ Safer cached file delivery. Cached files that are not recognized as image, audio, or video now download as attachments instead of rendering inline, reducing the risk of unsafe browser content handling. Commit
• 📊 Streaming token analytics accuracy. Admin Analytics now records and aggregates token usage correctly for streaming chats across Responses API and OpenAI-compatible providers, including fallback handling for provider usage formats that use prompt and completion token keys. Commit, Commit, #​24217, #​24294, #​24241
• 🔗 Admin shared chat links. Admin users can now open and clone shared chat links reliably without 401 errors because shared links are now resolved by share ID first, with safe fallback behavior for direct chat ID access. Commit, #​24311, #​24096
• 💾 Chat settings persistence. System prompts and other chat-level settings now persist correctly after creating a new chat and reloading, preventing prompt loss in affected conversations. Commit, #​24193, #​24270
• 💾 Chat control autosave persistence. Changes to chat controls like system prompt, parameters, and attached files are now autosaved on existing chats, so edits are no longer lost when you refresh or navigate away before sending a message. Commit, #​23897
• ☁️ OneDrive option visibility. OneDrive personal and business upload options now appear only when their respective client IDs are configured, preventing unavailable options from showing in attachment menus. Commit, #​24411
• 🧠 Reasoning content leakage prevention. Tool-call round-trip messages no longer wrap reasoning text in <think> tags inside the content field, preventing raw markup from leaking into chat output for models whose templates don't strip think tags (e.g. Gemma 4). #​23844
• 🖥️ Terminal sidebar auto-open guard. The terminal sidebar no longer auto-opens on chat load when OpenTerminal is disabled, because stale terminal IDs saved on models or in localStorage are now validated against available terminal servers before use.
• 🔁 Single-confirmation connection deletion. Deleting OpenAI, Ollama, tool server, and terminal server connections now shows exactly one confirmation dialog instead of two, because redundant outer confirmation wrappers were removed from all connection components.
• 🧵 Reliable background task cleanup. The chat task lifecycle now deregisters completed tasks before checking for remaining siblings, eliminating the off-by-one timing issue that could leave the stop button stuck or dismiss the sidebar activity spinner too early.

Changed

• ⚠️ Database Migrations: This release includes database schema changes; we strongly recommend backing up your database and all associated data before upgrading in production environments. If you are running a multi-worker, multi-server, or load-balanced deployment, all instances must be updated simultaneously, rolling updates are not supported and will cause application failures due to schema incompatibility.
• 🚪 Signout request method. The signout endpoint now requires POST instead of GET, so custom clients and integrations must update logout calls accordingly. #​24420

v0.9.3

Compare Source

Added

• 🔇 Voice Mode mute control. Voice Mode now includes a dedicated mute toggle with an "M" shortcut and auto-unmute after assistant playback, so you can prevent accidental interruptions from background noise without leaving the call overlay. Commit, #​23832
• 🚀 Faster prompt list loading. Prompt and prompt-tag pages now load much faster for non-admin users, even with large prompt libraries, because accessible prompts are filtered efficiently in a single database query. #​24288, #​24258
• ⚡ Faster chat history loading. Chat history maps now load from normalized message records when available, reducing overhead for large conversations while preserving fallback behavior for legacy chats. Commit, #​23159
• 🗑️ Delete from conversation menu. You can now delete the current conversation directly from the chat menu with a confirmation step, so cleanup is faster without searching through the full chat list. Commit, #​24329
• ⬆️ Scroll to Top shortcut. Long conversations now include a Scroll to Top action in the chat menu when you are away from the top, making it much faster to jump back to the beginning of a chat. Commit, #​24133
• 📅 Calendar creation flow. Users can now create calendars from a dedicated modal and a quick-add action in the calendar sidebar, making calendar setup faster from the calendar workspace. Commit, Commit
• 🧭 Unified model unload controls. Administrators can now unload running models from the model selector across supported providers, with loaded-state indicators shown for Ollama and llama.cpp models. Commit
• ⚡ Health check responsiveness. Health and readiness probes now avoid blocking database calls and skip sync session commit handling on probe paths, improving responsiveness and reducing false unready transitions during database pressure. #​24380, #​24384
• 🎛️ Playground controls panel. The Playground now includes a dedicated Controls toggle so you can adjust parameters like temperature and related settings per chat run without changing model-level defaults. Commit, #​24103
• 🎙️ STT file extension controls. Administrators can now configure which audio file extensions are accepted for speech-to-text uploads, helping enforce safer and more predictable upload policies. Commit
• 📷 Remembered call camera selection. Voice call overlay now remembers your last selected camera and restores it automatically when available, so you do not need to reselect it every time you start voice mode. Commit, #​24416
• 👥 User group prompt variable. System and templa

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • "after 2am,before 5am"

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.