Added

• 📦 Official knowledge base sync tool. A new companion tool from Open WebUI, oikb, keeps a knowledge base in sync with a local directory, GitHub repo, S3 bucket, Confluence space, or any of more than 40 other sources, uploading only new and changed files using the incremental sync support added in this release. oikb
• 📂 Smart directory sync for knowledge bases. Local directories can now be synced into a knowledge base in one action: file checksums are compared against what's already stored, and only added or modified files are uploaded while removed files and orphaned subdirectories are cleaned up, with the directory structure mirrored automatically and per-file progress shown throughout. #19190, #19394, Commit, Commit, Commit, Commit, Commit, Commit
• 🗂️ Knowledge base folders. Files inside a knowledge base can now be organized into nested folders, with breadcrumb navigation that makes it much easier to manage and find content in large collections. Commit, Commit, Commit, Commit, Commit, Commit
• 🧰 Filesystem tool for knowledge bases. A new built-in tool, enabled via the "ENABLE_KB_EXEC" environment variable, lets AI models browse and search knowledge base contents using familiar filesystem commands such as 'ls', 'cat', 'grep', 'find', 'head', 'tail', and 'sed', including pipes between them. Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit
• ✏️ File renaming in knowledge bases. Files inside a knowledge base can now be renamed directly from the workspace, with the new name reflected wherever the file is referenced. Commit
• 😀 Emoji picker in message input. A new emoji button in the rich text formatting toolbar lets you browse and insert emojis directly into your messages. #24704
• 🪄 Per-chat skills toggle. Skills can now be turned on or off for a conversation directly from the chat Integrations menu, the same way tools and capabilities already work, instead of only through the model preset. #25036, #25037
• 🔎 Access preview for users and groups. Administrators can now preview exactly which models, knowledge bases, and tools a given user or group can access, making it easier to audit and verify permission setups. Commit
• 📄 Configurable knowledge base file page size. Administrators can now request a larger page size when listing a knowledge base's files through the API, reducing the number of requests needed to retrieve large collections instead of paging through fixed increments of 30. #25148, Commit
• 🔃 Persistent processing indicator for knowledge files. Files still being processed in a knowledge base now keep showing a processing indicator across page reloads, so you can tell what's still ingesting after navigating away and back. #25031, Commit
• 📑 MinerU file type configuration. Administrators can now configure which file types are processed by the MinerU document loader, via the new "MINERU_FILE_EXTENSIONS" setting, extending it beyond PDF to formats like DOCX, PPTX, and XLSX. Commit
• 📃 Legacy Word document support. Older ".doc" Word files can now have their text extracted by the default document extraction engine, in addition to the modern ".docx" format. Commit
• 📁 Create subfolders from the folder header. Chat folders can now have subfolders created directly from the folder header in the chat view, not just from the sidebar. Commit
• ⚡ Faster initial page loads. The configuration endpoint that loads on every page visit no longer runs an unnecessary user-count query, making the initial application load lighter on the database, especially on instances with many users. Commit
• 🚀 Faster tool-enabled chat completions. Chat completions that use multiple tools now start faster because the tools they reference are fetched from the database in a single batch query instead of one query per tool. #24808, Commit
• 🏎️ More responsive web search under load. Web search through SearXNG, Google PSE, Brave, Serper, and Serpstack now uses non-blocking network calls, so the server stays responsive to other users while a search is in flight, and concurrent multi-query searches complete faster. Commit
• 🐎 Lighter Ollama backend connections. Requests to Ollama backends now reuse a shared connection pool instead of opening a fresh session each time, reducing TCP and TLS handshake overhead for installs that poll Ollama frequently or have multiple backends configured. Commit
• 💽 Fewer redundant model-list writes. On multi-instance deployments backed by Redis, the model list is no longer rewritten when it hasn't changed, cutting a major source of redundant writes. #25469, #25474, Commit
• 📉 Faster websocket disconnect cleanup. Disconnecting from a collaborative session no longer triggers a scan across the entire Redis keyspace, using a per-session index instead, which keeps disconnects cheap on large deployments. #25466, Commit
• 📝 Frontmatter auto-fill for tools, functions, and skills. Opening a tool, function, or skill editor now auto-fills the name, id, and description fields from the file's frontmatter, saving you from re-entering metadata already declared in the source. #24649, Commit
• 🪪 More user placeholders in custom headers. Custom-header templates for direct connections and tool servers now support "{{USER_EMAIL}}" and "{{USER_ROLE}}" alongside the existing user and session placeholders. Commit
• ⏱️ Configurable MCP connection timeout. The timeout for the initial handshake with an MCP tool server is now configurable via the new "MCP_INITIALIZE_TIMEOUT" setting, so servers that are slow to start or expose many tools can finish connecting instead of timing out. #25011, Commit
• 📐 Profile image size limit. Administrators can now cap the size of inline profile images via the new "PROFILE_IMAGE_MAX_DATA_URI_SIZE" setting, bounding how much database and cache space inline avatars and model icons can consume. #25468, #25476
• 🎫 Wildcard OAuth role mapping. Administrators can now set "*" in the allowed OAuth roles to grant the user role to any authenticated OAuth user, instead of having to enumerate every accepted role. #25062, Commit
• 📊 Paginated feedback history. The feedback and evaluation history list is now paginated, keeping it responsive for instances that have accumulated large numbers of feedback entries. Commit
• 🔘 Bulk enable or disable automations. Automations can now be enabled or disabled in bulk from an actions menu on the automations page, instead of toggling each one individually. Commit
• ➡️ Optional auto-redirect to single sign-on. Administrators can now enable "OAUTH_AUTO_REDIRECT" so that, on deployments with a single sign-on provider and no other login methods, users are sent straight to the provider instead of seeing a login page first. #25067, Commit
• ☁️ Azure AI Foundry v1 with Entra ID. Open WebUI now supports Azure AI Foundry's OpenAI v1 endpoint together with Microsoft Entra ID authentication, so these connections work without manual workarounds. #24761, #24985, Commit
• 🌎 Linkup web search provider. Administrators can now select Linkup as the web search provider from the admin settings, with options to configure the API key and search depth. #24752, Commit
• 🧊 Valkey vector database support. Valkey can now be used as the vector database backend, configurable through new "VALKEY_URL" and related settings including index type, distance metric, and HNSW tuning. #24769, Commit
• 🔄 General improvements. Various improvements were implemented across the application to enhance performance, stability, and security.
• 🌐 Translation updates. Translations for Spanish (Spain), Swedish, German, Korean, Catalan, Russian, Irish, Simplified Chinese, Traditional Chinese, Finnish, Polish, Turkish, and Malay were enhanced and expanded.

Fixed

• 🛡️ Security Advisory: This release includes security and access-control fixes. We recommend updating production deployments at your earliest convenience. Not all security fixes in this version may be enumerated in the fixed section — some may be withheld for a short time to give administrators time to upgrade. Advisories
• 🛡️ Tool server permission enforcement. The per-user permission for inline tool servers is now enforced on chat-completion requests, so users without that permission can no longer bypass the admin setting by supplying tool servers directly in their requests. Commit
• 🔒 Knowledge base access check in search tool. The built-in knowledge search tool now verifies that the caller can access a knowledge base before searching it by id, preventing users from reading the contents of knowledge bases they have not been granted access to. #25113
• 🗄️ Cross-user access to retrieval collections. Resolving the documents used for retrieval now verifies the caller's access to each referenced file and rejects client-supplied collection names, preventing a crafted request from pulling another user's files or vector collections into its context. Commit
• 🔣 Collection name validation. Vector collection names are now rejected unless they contain only safe characters, preventing malformed names from reaching the vector store or breaking out of a database query expression. #24982
• 🚫 Unscoped retrieval collections denied by default. Retrieval requests for collection names that don't correspond to a known file, memory, web-search, or knowledge base are now denied for non-admins by default, with a new "ENABLE_RETRIEVAL_UNSCOPED_COLLECTIONS" setting to restore the previous behavior if needed. Commit
• 📜 Prompt history authorization. Comparing, deleting, and restoring prompt versions now verify the history entry belongs to the prompt you're authorized for, preventing access to or modification of another prompt's version history. #25056
• 🚦 Code interpreter permission on the legacy path. The legacy code-execution path now enforces the same permission and capability checks as the current one, so users without the code interpreter permission can no longer trigger code execution through it. #24724
• 🧱 API key endpoint restriction bypass. The endpoint allow-list that limits which paths an API key may reach is now matched against the routed request path directly, preventing a crafted request from slipping past the restriction. #25123
• 🚧 System prompt bypass via request parameter. The flag that skips a model's configured system prompt can no longer be set by external clients through a request parameter, so admin-configured system prompts can't be bypassed from the API. #25156
• 🚪 Terminal proxy path traversal. The terminal proxy now fully decodes request paths before validating them, blocking multi-encoded payloads that could otherwise escape the intended path. #25157
• 🪤 Cache file path traversal. The cache file server now requires an exact directory boundary match, closing a gap where a sibling directory whose name began with the cache directory's name could be used to serve files from outside it. #25086
• 🔀 Ollama backend selection access check. Requests can no longer target an arbitrary Ollama backend by index; a caller-supplied backend selector is now verified against the backends that actually serve the requested model. Commit
• 🔓 Cross-user file exfiltration via image URLs. When a chat message references a file by id in an "image_url" field, the server now resolves that file only for its owner, an administrator, or a user with an explicit read grant, preventing other authenticated users from extracting a file's contents by routing it through the model. #24625, Commit
• 📌 Chat file attachment access checks. Attaching files to a chat now links only files the caller can read, preventing a user from associating another user's file with their chat to access its contents. #25054
• 🧾 Model knowledge file ownership checks. Creating or updating a model now verifies that any knowledge files attached to it are files the editor can access, preventing another user's files from being attached to a model. #25055, Commit
• 📅 Calendar event move authorization. Updating a calendar event to move it into a different calendar now requires write access on the destination calendar, preventing users from injecting events into calendars they cannot write to. #24764
• 📣 Channel chat access control. Generating a response in a channel context now verifies the caller's access to that channel and scopes the included messages, preventing access to channels or messages the user isn't permitted to see. #24725
• 🕸️ Web loader SSRF gating with Playwright. When the Playwright-based web loader is in use, page navigations and redirects are now validated the same way as the default loader, closing a gap where the Playwright path could reach internal or otherwise blocked URLs. #24756
• 🛂 DNS rebinding protection for URL fetches. The IP address validated for an outbound URL fetch is now the same one used for the actual connection, closing a DNS rebinding window where an attacker-controlled hostname could resolve to a public IP during the safety check and then to a private IP when the connection was opened. #24759
• 🪞 OAuth profile picture redirect handling. The OAuth profile picture fetch now follows redirects only when administrators have explicitly allowed it, closing a window where a redirect from an externally validated URL could be used to reach internal addresses. #24809
• 🧼 Model profile image script injection. Model profile images are now validated on save and only served inline when they are a known-safe image type, preventing a crafted SVG profile image from running scripts in other users' browsers, while existing legacy images that fail validation are cleared gracefully instead of breaking the model list. #25060, #25173
• 🧯 Diagram rendering script injection. Mermaid diagrams rendered in chat are now sanitized before display, preventing a crafted diagram from running scripts in the viewer's browser. #25219
• 🔐 Shared-chat file write protection. Access to a file through a shared chat now only grants read access, so users who can read a shared chat can no longer modify or delete files attached to it. #24755
• 🔏 Cross-origin embed prompt control. When Open WebUI is embedded in an iframe on a different origin, the embedding page can now only drive the chat input or submit prompts if the user has explicitly opted in via the "iframe Sandbox Allow Same Origin" setting, preventing untrusted host pages from triggering confirmation dialogs or controlling the chat. #24767, Commit
• 🗂️ Chat folder ownership checks. Creating a chat or updating a chat's folder now verifies the referenced folder belongs to the current user, preventing chats from being associated with folders owned by other people. #24588
• 🧩 Chat recovery from corrupted history. Chats whose internal message graph was left in a malformed state by a failed regeneration now open and load correctly, with missing roles, parent references, and current-message pointers reconstructed automatically instead of breaking the chat. #24424, #24157, #20474, #24799, Commit
• 📨 Imported chats with folders appear correctly. Importing grouped chats no longer leaves them invisible when a referenced folder is missing; such chats now appear in the chat list instead of being silently orphaned. #24910, Commit
• 🎟️ MCP tool server sessions stay connected. OAuth-authenticated MCP tool server sessions are no longer mistakenly refreshed and deleted by the single sign-on session handler, so those connections stay active. #24618, Commit
• 🤝 MCP OAuth scope discovery. The OAuth flow for MCP tool servers now reads the scopes a server advertises through its Protected Resource Metadata, so connecting to servers that declare their own scopes succeeds. #24730, #24690
• 🔍 Web search reliability. Web search again fetches page content reliably with the default web loader engine, a new "USER_AGENT" environment variable lets administrators set a real browser user-agent so fetches aren't blocked by Cloudflare, Wikipedia, and other bot-detection systems, and the startup script no longer fails to launch when these new environment variables are unset. #24560, #24793, #24683, Commit
• 🔥 Firecrawl web search results. Web search using Firecrawl now returns results correctly regardless of which response format the Firecrawl version uses. #24712
• 🦅 Kagi web search. Web search using Kagi works again after its API endpoint and request method were updated to match Kagi's current API. #25015
• 🔢 Bracketed numbers in code blocks. Numbers in square brackets such as "[0]" inside code blocks are no longer stripped out as if they were source citations, so code displays and copies correctly. #24948, Commit
• 🔌 API chat completions reliability. Direct calls to the chat completions API no longer fail with an internal error when no chat session identifier is supplied. #24553, #25235, Commit, Commit
• 🖼️ ComfyUI image generation and editing. Generating and editing images via a ComfyUI backend now works again, including when ComfyUI is hosted on a private or internal network where URL validation was previously blocking the admin-configured endpoint. #24565, Commit, Commit
• 🖌️ Image generation with non-standard response headers. Image generation now works with backends that return valid JSON without a standard content-type header, instead of rejecting the response. #24838
• 🐘 Knowledge search on large documents. Searching knowledge bases on PostgreSQL no longer fails when scanning across documents with very large extracted text content. #24670, Commit
• 💬 Chat title generation. Automatically generated chat titles now use the model currently selected in the dropdown for the active chat and fall back to the model from the active message branch otherwise, and a clear message is shown if no model is available instead of an unhelpful error. #24604, #24745, Commit, Commit
• 🧮 Message search and analytics consistency. Edits, deletions, and branch changes made in a chat are now reflected in message search results and analytics counts instead of leaving stale entries behind. #25205, Commit
• 🩹 Graceful handling of in-chat task failures. When web search query generation, image prompt generation, or a tool call fails or references a missing tool, the chat now falls back or surfaces a clear error instead of breaking partway through the response. #25038, #25144, Commit
• 🎛️ Filter changes to message output. Filter functions that modify a message's structured output after generation now have those changes saved and displayed, instead of being discarded when only the output, not the text content, was changed. #24884
• ⏩ Titles and tags reflect filtered output. Outlet filters now run before automatic title, tag, and follow-up generation, so those are based on the final filtered message instead of the unfiltered version. #24717
• 💾 Action-replaced message content persists. Message content replaced by an action function through its event emitter is now kept when the chat is saved, instead of reverting to the original after a page reload. #24585, #25485
• 🏷️ Skill mentions in messages. Mentioning a skill in a message now keeps the skill's name as readable text instead of removing it, and selecting a skill without typing anything no longer causes an error on providers that reject empty messages. #24929, Commit
• 🧹 Usage timer cleanup on send failure. The background usage-stats timer started during message generation is now always cleared, even when sending a message fails, preventing leaked timers from accumulating over a session. #25478
• 🗑️ Background tasks stop when a chat is removed. Deleting or archiving a chat now cancels any in-flight generation or title and tag tasks for it, instead of leaving orphaned background work running. #25050, Commit
• ⌨️ Responsive knowledge file search. Searching for knowledge files in the chat picker and model knowledge selector now matches on file names by default instead of scanning the full extracted text of every document on each keystroke, keeping the search responsive on large deployments, with content search available as an explicit opt-in. #25082, #25119, Commit
• 📥 Document processing with empty embeddings. Saving documents to the vector database no longer crashes when an embedding step returns no vectors, allowing the process to continue instead of failing the whole upload. #25166
• 🔤 Non-UTF-8 text and CSV uploads. Text and CSV files saved in legacy encodings, including Latin-1, Windows-1252, and Chinese encodings such as GB18030, are now detected and loaded correctly instead of being rejected as binary or failing with an empty-content error. #25172, #24973, Commit, Commit
• 🧽 Null bytes in nested data no longer break saves. Data containing null bytes nested inside structured fields is now sanitized correctly before being written, preventing database errors that the previous check failed to catch. #25018, Commit
• 🧠 Clear error when no embedding model is configured. Using knowledge or retrieval features without a loaded embedding model now returns a clear setup error explaining what to configure, instead of failing with a cryptic crash. Commit
• 🧲 Memory search quality. Memory searches now apply the configured embedding query prefix, so retrieval works correctly with embedding models that require one for queries. #24921, Commit
• 📚 Knowledge tool context overflow. The built-in tool that lists a model's knowledge no longer dumps every file in every knowledge base into the model's context; it now returns summaries by default and paginates file listings only for a requested knowledge base. #25105, Commit
• ⏳ Terminal session stability. The terminal proxy no longer hangs when one direction of the connection closes before the other, so terminal sessions shut down cleanly instead of stalling. #25464, #25479
• 🧷 Tool call continuity with strict providers. Chats that contain incomplete tool calls or orphaned tool results no longer fail to continue when sent to providers that strictly validate tool pairings, such as Anthropic and AWS Bedrock Converse. #24758, #24940, #24798, Commit
• 🛑 Stream termination for pipe functions. Streamed responses from pipe functions now always send the standard end-of-stream marker, so chat clients and external integrations reliably detect when a response is complete instead of waiting on streams that already finished. #24763
• 🔊 Non-blocking text-to-speech transcoding. Converting text-to-speech audio to MP3 no longer blocks the server's event loop, so other requests stay responsive even while a TTS response is being transcoded. #24876
• 🎚️ Default text-to-speech voice. Text-to-speech requests now honor the voice specified in the request and fall back to the configured default only when none is given, instead of always using the admin default or failing. #15143, #25035, Commit, Commit
• 🪝 Reliable knowledge base file linking. Files uploaded to a knowledge collection are now linked on the server as part of the upload itself, so they remain attached to the collection even if you navigate away or close the page before processing finishes. #24807, Commit
• ☁️ Azure connections on custom hostnames. Connections marked as the Azure provider now use the Azure code path even when the endpoint does not contain "azure" in its hostname, fixing custom Azure deployments served from non-standard domains. #24882, Commit
• 🗓️ Clearing calendar event fields. Removing the description or location from a calendar event now saves correctly instead of silently keeping the previous value. #25026, Commit, Commit
• 💭 Advanced parameter settings. Custom reasoning tags and custom model parameters are now saved correctly instead of being dropped, and the presence penalty and repeat penalty no longer save the frequency penalty's value instead of their own. #25183, #25200, #25204
• 📏 Long username display. Long usernames no longer overflow their containers in the admin user list, user modals, and sidebar. #25185
• 🎯 All skills selectable in the model editor. The model editor's skills selector now lists every skill you have access to, with a search box for large lists, instead of showing only the first 30 with no way to reach the rest. #24873, Commit
• 🔔 Accurate knowledge upload feedback. Dragging files into a knowledge base no longer shows an upload notification before the upload has actually been processed. #25484
• ♿ High-contrast timestamp readability. The user message timestamp now uses the correct colors in high-contrast mode instead of inverted ones, keeping it readable. #25461
• ♿ Keyboard and screen reader access to menus. The integrations, more-options, and user menus are now real buttons with labels and keyboard support, so they can be opened with the keyboard and announced by screen readers. Commit
• 🖱️ Focus-loss handling in editors. Workspace and admin editors for models, tools, functions, and skills again respond correctly when the browser window loses focus, after the wrong event name was being listened for. #25459
• 🛟 Resilience to corrupted local storage. Corrupted data in the browser's local storage no longer crashes the interface; affected settings and dismissed-banner state now fall back to safe defaults. #25481
• 📶 Quieter reconnection notifications. Brief connection interruptions, such as backgrounding a mobile tab, no longer flash a "connection lost" warning, and the "reconnected" message only appears if a disconnect was actually shown. Commit
• 🍎 Safari PDF handling. PDF processing now works in Safari, which doesn't support the stream iteration the previous code relied on. #25151, #25473
• 🎙️ Voice mode mute shortcut listing. The keyboard shortcut for muting voice mode now appears in the keyboard shortcuts help modal. #25193
• 📎 Document attachments in channel model replies. Tagging a model in a channel thread now forwards uploaded non-image documents such as PDFs and DOCX files into the model's context, so document summarization and comparison workflows that already worked in direct chat now work in channels too. #24896, #24898, Commit
• 🙈 Hidden models in channel mentions. Models marked as hidden no longer appear in the channel message-input model mention selector, matching how hidden models are excluded elsewhere in the interface. #24892
• 🧵 Channel thread and pinned message stability. Opening a channel thread or the pinned messages view no longer fails to render when a message or its data is missing. #25209
• 📺 YouTube short link transcripts. Pasting a "youtu.be" short link into a chat now loads the video transcript correctly instead of failing with an empty-content error. #24856, Commit
• 🙉 Hidden models in default-model and automation pickers. The admin pickers for default models and default pinned models, and the automation model dropdown, now filter out hidden models, consistent with how hidden models are treated elsewhere. #24869, Commit, Commit
• 🔊 Speech-to-text SSL setting honored. Speech-to-text requests now respect the "AIOHTTP_CLIENT_SESSION_SSL" setting, so administrators using self-signed certificates or custom SSL configurations can use STT engines that were previously failing TLS verification. #24568, #24857, Commit, Commit
• 🔗 Placeholders in MCP connection headers. Custom header templates configured on MCP server connections now have their "{{USER_ID}}", "{{USER_NAME}}", "{{USER_EMAIL}}", "{{USER_ROLE}}", "{{CHAT_ID}}", and "{{MESSAGE_ID}}" placeholders interpolated at request time, matching how custom headers already work for direct connections and tool servers. #24822
• 🪟 Bing search CLI smoke test. Running the Bing web-search module from the command line for a quick connectivity check no longer raises an error about missing arguments. #24765, #24768
• 🩺 Database health check recovery. After a transient database connection error, the health check endpoint now recovers automatically instead of staying permanently broken on the affected worker. Commit
• 🥾 Startup on non-Unicode consoles. Open WebUI no longer crashes at startup when the console can't encode the banner's box-drawing characters, such as on Windows or with redirected or headless output, falling back to a plain-text banner instead. #24965, #25482
• 🆕 First admin signup after a reset. Creating the first administrator account is no longer blocked by a previously stored signup setting, so a fresh or reset instance can always be bootstrapped. #24821
• 🪵 JSON exception logging. With JSON log formatting enabled, exceptions are now recorded correctly with a structured type, message, and stacktrace instead of being dropped, and a logging failure can no longer crash the application. #25135, Commit
• 🧭 Workspace skills permission. Users granted only the "workspace.skills" permission can now see the workspace entry in the sidebar and are correctly routed to the skills page from the workspace index. #24729
• 🔁 Resilient database migrations. Database migrations now skip tables, indexes, and columns that already exist and add missing primary keys to legacy tables, so upgrades succeed even when parts of the schema were manually or partially created beforehand. Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, Commit, #24722

Changed

• ⚠️ Database Migrations: This release includes database schema changes; we strongly recommend backing up your database and all associated data before upgrading in production environments. If you are running a multi-worker, multi-server, or load-balanced deployment, all instances must be updated simultaneously, rolling updates are not supported and will cause application failures due to schema incompatibility.
• ⚙️ Tool-call iteration cap renamed and raised. The environment variable that limits how many tool calls a single chat response may make is now "CHAT_RESPONSE_MAX_TOOL_CALL_ITERATIONS", with its default raised from 30 to 256 and a new "-1" value for unlimited; the previous "CHAT_RESPONSE_MAX_TOOL_CALL_RETRIES" name continues to work as a fallback, and chats that hit the cap now show a clear error in-chat instead of stopping silently. #24918, Commit
• 🔐 Reduced public "/api/config" exposure. The "/api/config" response no longer includes several feature flags ("enable_api_keys", "enable_password_change_form", "enable_version_update_check", "enable_public_active_users_count", "enable_easter_eggs") for unauthenticated callers, reducing information disclosure to anonymous visitors. Commit, Commit
• 🔑 "WEBUI_SECRET_KEY" is now a hard requirement even for unsupported deployments. Deployments that start the backend in an explicitly unsupported way (such as invoking uvicorn directly) without setting "WEBUI_SECRET_KEY" will now refuse to start instead of falling back to an empty key; the supported start methods (start.sh, start_windows.bat, and "open-webui serve") still set or auto-generate it automatically, so standard deployments are unaffected. Direct Uvicorn startup is not supported. #25218