fix(container): update image ghcr.io/open-webui/open-webui ( v0.6.26 ➔ 0.6.27 )

[unsc-oni-ancilla]

This PR contains the following updates:

Package	Update	Change
ghcr.io/open-webui/open-webui	patch	v0.6.26 -> 0.6.27

---

Release Notes

open-webui/open-webui (ghcr.io/open-webui/open-webui)

v0.6.27

Compare Source

Added

• 📁 Emoji folder icons were added, allowing users to personalize workspace organization with visual cues, including improved chevron display. Commit, Commit, Commit, Commit
• 📁 The 'Search Collection' input field now dynamically displays the total number of files within the knowledge base. Commit
• ☁️ A provider toggle in connection settings now allows users to manually specify Azure OpenAI deployments. Commit
• ⚡ Model list caching performance was optimized by fixing cache key generation to reduce redundant API calls. #​17158
• 🎨 Azure OpenAI image generation is now supported, with configurations for IMAGES_OPENAI_API_VERSION via environment variable and admin UI. #​17147, #​16274, Docs:#​679
• ⚡ Comprehensive N+1 query performance is optimized by reducing database queries from 1+N to 1+1 patterns across major listing endpoints. #​17165, #​17160, #​17161, #​17162, #​17159, #​17166
• ⚡ The PDF.js library is now dynamically loaded, significantly reducing initial page load size and improving responsiveness. #​17222
• ⚡ The heic2any library is now dynamically loaded across various message input components, including channels, for faster page loads. #​17225, #​17229
• 📚 The knowledge API now supports a "delete_file" query parameter, allowing configurable file deletion behavior. Commit
• 📊 Llama.cpp timing statistics are now integrated into the usage field for comprehensive model performance metrics. Commit
• 🗄️ The PGVECTOR_CREATE_EXTENSION environment variable now allows control over automatic pgvector extension creation. Commit, Commit, Docs:#​672
• 🔒 Comprehensive server-side OAuth token management was implemented, securely storing encrypted tokens in a new database table and introducing an automatic refresh mechanism, enabling seamless and secure forwarding of valid user-specific OAuth tokens to downstream services, including OpenAI-compatible endpoints and external tool servers via the new "system_oauth" authentication type, resolving long-standing issues such as large token size limitations, stale/expired tokens, and reliable token propagation, and enhancing overall security by minimizing client-side token exposure, configurable via "ENABLE_OAUTH_ID_TOKEN_COOKIE" and "OAUTH_SESSION_TOKEN_ENCRYPTION_KEY" environment variables. Docs:#​683, #​17210, #​8957, #​11029, #​17178, #​17183, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit
• 🔒 Conditional Permission Hardening for OpenShift Deployments: Added a build argument to enable optional permission hardening for OpenShift and container environments. Commit
• 👥 Regex pattern support is added for OAuth blocked groups, allowing more flexible group filtering rules. Commit
• 💬 Web search result display was enhanced to include titles and favicons, providing a clearer overview of search sources. Commit, Commit, Commit, #​17197, #​14179, Commit, Commit, Commit, Commit, Commit, Commit
• 💬 A new setting was added to control whether clicking a suggested prompt automatically sends the message or only inserts the text. #​17192, Commit
• 🔄 Various improvements were implemented across the frontend and backend to enhance performance, stability, and security.
• 🌐 Translations for Portuguese (Brazil), Simplified Chinese, Catalan, and Spanish were enhanced and expanded.

Fixed

• 🔍 Hybrid search functionality now correctly handles lexical-semantic weight labels and avoids errors when BM25 weight is zero. #​17049, #​17046
• 🛑 Task stopping errors are prevented by gracefully handling multiple stop requests for the same task. #​17195
• 🐍 Code execution package detection precision is improved in Pyodide to prevent unnecessary package inclusions. Commit
• 🛠️ Tool message format API compliance is fixed by ensuring content fields in tool call responses contain valid string values instead of null. Commit
• 📱 Mobile app config API authentication now supports Authorization header token verification with cookie fallback for iOS and Android requests. #​17175
• 💾 Knowledge file save race conditions are prevented by serializing API calls and adding an "isSaving" guard. #​17137, Commit
• 🔐 The SSO login button visibility is restored for OIDC PKCE authentication without a client secret. #​17012
• 🔊 Text-to-Speech (TTS) API requests now use proper URL joining methods, ensuring reliable functionality regardless of trailing slashes in the base URL. #​17061
• 🛡️ Admin account creation on Hugging Face Spaces now correctly detects the configured port, resolving issues with custom port deployments. #​17064
• 📁 Unicode filename support is improved for external document loaders by properly URL-encoding filenames in HTTP headers. #​17013, #​17000
• 🔗 Web page and YouTube attachments are now correctly processed by setting their type as "text" and using collection names for accurate content retrieval. Commit
• ✍️ Message input composition event handling is fixed to properly manage text input for multilingual users using Input Method Editors (IME). #​17085
• 💬 Follow-up tooltip duplication is removed, streamlining the user interface and preventing visual clutter. #​17186
• 🎨 Chat button text display is corrected by preventing clipping of descending characters and removing unnecessary capitalization. #​17191
• 🧠 RAG Loop/Error with Gemma 3.1 2B Instruct is fixed by correctly unwrapping unexpected single-item list responses from models. Commit, #​17213
• 🖼️ HEIC conversion failures are resolved, improving robustness of image handling. #​17225
• 📦 The slim Docker image size regression has been fixed by refining the build process to correctly exclude components when USE_SLIM=true. #​16997, Commit, Commit
• 📁 Knowledge base update validation errors are resolved, ensuring seamless management via UI or API. #​17244, Commit
• 🔐 Resolved a security issue where a global web search setting overrode model-specific restrictions, ensuring model-level settings are now correctly prioritized. #​17151, Commit
• 🔐 OAuth redirect reliability is improved by robustly preserving the intended redirect path using session storage. #​17235, Commit, #​15575, Commit
• 🔐 Fixed a security vulnerability where knowledge base access within chat folders persisted after permissions were revoked. #​17182, Commit
• 🔒 OIDC access denied errors are now displayed as user-friendly toast notifications instead of raw JSON. #​17208, Commit
• 💬 Chat exception handling is enhanced to prevent system instability during message generation and ensure graceful error recovery. Commit
• 🔒 Static asset authentication is improved by adding crossorigin="use-credentials" attributes to all link elements, enabling proper cookie forwarding for proxy environments and authenticated requests to favicon, manifest, and stylesheet resources. #​17280, Commit

Changed

• 🛠️ Renamed "Tools" to "External Tools" across the UI for clearer distinction between built-in and external functionalities. Commit
• 🛡️ Default permission validation for message regeneration and deletion actions is enhanced to provide more restrictive access controls, improving chat security and user data protection. #​17285

v0.6.27

Compare Source

[0.6.27] - 2025-09-09

Added

• 📁 Emoji folder icons were added, allowing users to personalize workspace organization with visual cues, including improved chevron display. Commit, Commit, Commit, Commit
• 📁 The 'Search Collection' input field now dynamically displays the total number of files within the knowledge base. Commit
• ☁️ A provider toggle in connection settings now allows users to manually specify Azure OpenAI deployments. Commit
• ⚡ Model list caching performance was optimized by fixing cache key generation to reduce redundant API calls. #​17158
• 🎨 Azure OpenAI image generation is now supported, with configurations for IMAGES_OPENAI_API_VERSION via environment variable and admin UI. #​17147, #​16274, Docs:#​679
• ⚡ Comprehensive N+1 query performance is optimized by reducing database queries from 1+N to 1+1 patterns across major listing endpoints. #​17165, #​17160, #​17161, #​17162, #​17159, #​17166
• ⚡ The PDF.js library is now dynamically loaded, significantly reducing initial page load size and improving responsiveness. #​17222
• ⚡ The heic2any library is now dynamically loaded across various message input components, including channels, for faster page loads. #​17225, #​17229
• 📚 The knowledge API now supports a "delete_file" query parameter, allowing configurable file deletion behavior. Commit
• 📊 Llama.cpp timing statistics are now integrated into the usage field for comprehensive model performance metrics. Commit
• 🗄️ The PGVECTOR_CREATE_EXTENSION environment variable now allows control over automatic pgvector extension creation. Commit, Commit, Docs:#​672
• 🔒 Comprehensive server-side OAuth token management was implemented, securely storing encrypted tokens in a new database table and introducing an automatic refresh mechanism, enabling seamless and secure forwarding of valid user-specific OAuth tokens to downstream services, including OpenAI-compatible endpoints and external tool servers via the new "system_oauth" authentication type, resolving long-standing issues such as large token size limitations, stale/expired tokens, and reliable token propagation, and enhancing overall security by minimizing client-side token exposure, configurable via "ENABLE_OAUTH_ID_TOKEN_COOKIE" and "OAUTH_SESSION_TOKEN_ENCRYPTION_KEY" environment variables. Docs:#​683, #​17210, #​8957, #​11029, #​17178, #​17183, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit
• 🔒 Conditional Permission Hardening for OpenShift Deployments: Added a build argument to enable optional permission hardening for OpenShift and container environments. Commit
• 👥 Regex pattern support is added for OAuth blocked groups, allowing more flexible group filtering rules. Commit
• 💬 Web search result display was enhanced to include titles and favicons, providing a clearer overview of search sources. Commit, Commit, Commit, #​17197, #​14179, Commit, Commit, Commit, Commit, Commit, Commit
• 💬 A new setting was added to control whether clicking a suggested prompt automatically sends the message or only inserts the text. #​17192, Commit
• 🔄 Various improvements were implemented across the frontend and backend to enhance performance, stability, and security.
• 🌐 Translations for Portuguese (Brazil), Simplified Chinese, Catalan, and Spanish were enhanced and expanded.

Fixed

• 🔍 Hybrid search functionality now correctly handles lexical-semantic weight labels and avoids errors when BM25 weight is zero. #​17049, #​17046
• 🛑 Task stopping errors are prevented by gracefully handling multiple stop requests for the same task. #​17195
• 🐍 Code execution package detection precision is improved in Pyodide to prevent unnecessary package inclusions. Commit
• 🛠️ Tool message format API compliance is fixed by ensuring content fields in tool call responses contain valid string values instead of null. Commit
• 📱 Mobile app config API authentication now supports Authorization header token verification with cookie fallback for iOS and Android requests. #​17175
• 💾 Knowledge file save race conditions are prevented by serializing API calls and adding an "isSaving" guard. #​17137, Commit
• 🔐 The SSO login button visibility is restored for OIDC PKCE authentication without a client secret. #​17012
• 🔊 Text-to-Speech (TTS) API requests now use proper URL joining methods, ensuring reliable functionality regardless of trailing slashes in the base URL. #​17061
• 🛡️ Admin account creation on Hugging Face Spaces now correctly detects the configured port, resolving issues with custom port deployments. #​17064
• 📁 Unicode filename support is improved for external document loaders by properly URL-encoding filenames in HTTP headers. #​17013, #​17000
• 🔗 Web page and YouTube attachments are now correctly processed by setting their type as "text" and using collection names for accurate content retrieval. Commit
• ✍️ Message input composition event handling is fixed to properly manage text input for multilingual users using Input Method Editors (IME). #​17085
• 💬 Follow-up tooltip duplication is removed, streamlining the user interface and preventing visual clutter. #​17186
• 🎨 Chat button text display is corrected by preventing clipping of descending characters and removing unnecessary capitalization. #​17191
• 🧠 RAG Loop/Error with Gemma 3.1 2B Instruct is fixed by correctly unwrapping unexpected single-item list responses from models. Commit, #​17213
• 🖼️ HEIC conversion failures are resolved, improving robustness of image handling. #​17225
• 📦 The slim Docker image size regression has been fixed by refining the build process to correctly exclude components when USE_SLIM=true. #​16997, Commit, Commit
• 📁 Knowledge base update validation errors are resolved, ensuring seamless management via UI or API. #​17244, Commit
• 🔐 Resolved a security issue where a global web search setting overrode model-specific restrictions, ensuring model-level settings are now correctly prioritized. #​17151, Commit
• 🔐 OAuth redirect reliability is improved by robustly preserving the intended redirect path using session storage. #​17235, Commit, #​15575, Commit
• 🔐 Fixed a security vulnerability where knowledge base access within chat folders persisted after permissions were revoked. #​17182, Commit
• 🔒 OIDC access denied errors are now displayed as user-friendly toast notifications instead of raw JSON. #​17208, Commit
• 💬 Chat exception handling is enhanced to prevent system instability during message generation and ensure graceful error recovery. Commit
• 🔒 Static asset authentication is improved by adding crossorigin="use-credentials" attributes to all link elements, enabling proper cookie forwarding for proxy environments and authenticated requests to favicon, manifest, and stylesheet resources. #​17280, Commit

Changed

• 🛠️ Renamed "Tools" to "External Tools" across the UI for clearer distinction between built-in and external functionalities. Commit
• 🛡️ Default permission validation for message regeneration and deletion actions is enhanced to provide more restrictive access controls, improving chat security and user data protection. #​17285

[!TIP]
Looking for an Enterprise Plan? – Speak with Our Sales Team Today!

Get enhanced capabilities, including custom theming and branding, Service Level Agreement (SLA) support, and more!

👏 Massive thanks to our incredible contributors for their hard work and dedication to making this release possible:
@​athoik, @​rgaricano, @​Classic298, @​Elettrotecnica, @​thomascooper, @​garylab, @​Ithanil, @​dependabot[bot], @​acwoo97, @​aleixdorca, @​aREversez, @​AdamJohnSwan, @​hadadrjt, @​Viruzaum, @​joaoback, @​ShirasawaSama

Sponsors 🙌

🚀 We'd like to extend a heartfelt thank you to our amazing sponsors for their generous support (Note: We've excluded private sponsors from this list. If you'd like to get featured here, feel free to reach out to us!)

Emerald

• Tailscale
• Warp

@​amd, @​agency-agency, @​roosi-gmbh, @​feddersen-group, @​SRKConsulting, @​mushmax, @​rndmcnlly, @​icanbwell, @​Krambu-Travis, @​loitragg, @​GenieDev101, @​CubicleGangster, @​GitDatamind, @​TOWaB, @​TheZigGroup, @​Classic298, @​comet-ml, @​FominVO, @​catalyst-net-nz, @​JrdnHans, @​hkosm, @​VeroFess, @​joaoback

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[unsc-oni-ancilla]

--- kubernetes/apps/default/open-webui/app Kustomization: default/open-webui HelmRelease: default/open-webui

+++ kubernetes/apps/default/open-webui/app Kustomization: default/open-webui HelmRelease: default/open-webui

@@ -29,13 +29,13 @@

           app:
             env:
               OLLAMA_BASE_URL: http://10.0.30.6:11434
               TZ: America/New_York
             image:
               repository: ghcr.io/open-webui/open-webui
-              tag: v0.6.26
+              tag: 0.6.27
             resources:
               limits:
                 memory: 1500Mi
               requests:
                 cpu: 200m
                 memory: 1000Mi

[unsc-oni-ancilla]

--- HelmRelease: default/open-webui Deployment: default/open-webui

+++ HelmRelease: default/open-webui Deployment: default/open-webui

@@ -38,13 +38,13 @@

       containers:
       - env:
         - name: OLLAMA_BASE_URL
           value: http://10.0.30.6:11434
         - name: TZ
           value: America/New_York
-        image: ghcr.io/open-webui/open-webui:v0.6.26
+        image: ghcr.io/open-webui/open-webui:0.6.27
         name: app
         resources:
           limits:
             memory: 1500Mi
           requests:
             cpu: 200m