From b2c23ff67546e9f16202e5e5b2218d18b89a8bb3 Mon Sep 17 00:00:00 2001 From: DrMelone <27028174+Classic298@users.noreply.github.com> Date: Tue, 27 Jan 2026 16:50:25 +0100 Subject: [PATCH 1/4] db schema --- docs/features/web-search/yandex.md | 8 +++- docs/tutorials/tips/sqlite-database.md | 63 ++++++++++++++++++++------ 2 files changed, 57 insertions(+), 14 deletions(-) diff --git a/docs/features/web-search/yandex.md b/docs/features/web-search/yandex.md index a3c8c588c..4dc1c9ee9 100644 --- a/docs/features/web-search/yandex.md +++ b/docs/features/web-search/yandex.md @@ -3,6 +3,12 @@ sidebar_position: 14 title: "Yandex" --- +:::warning + +This tutorial is a community contribution and is not supported by the Open WebUI team. It serves only as a demonstration on how to customize Open WebUI for your specific use case. Want to contribute? Check out the contributing tutorial. + +::: + :::tip For a comprehensive list of all environment variables related to Web Search (including concurrency settings, result counts, and more), please refer to the [Environment Configuration documentation](../../getting-started/env-configuration#web-search). @@ -40,4 +46,4 @@ services: * **YANDEX_WEB_SEARCH_URL**: The endpoint for the Yandex Search API. Defaults to `https://searchapi.api.cloud.yandex.net/v2/web/search`. * **YANDEX_WEB_SEARCH_API_KEY**: Your Yandex Cloud API Key. -* **YANDEX_WEB_SEARCH_CONFIG**: An optional JSON string to customize the search request (e.g., setting `searchType`, `region`, or other parameters supported by the Yandex Search API). +* **YANDEX_WEB_SEARCH_CONFIG**: An optional JSON string to customize the search request. This allows you to set any parameters supported by the Yandex Search API. diff --git a/docs/tutorials/tips/sqlite-database.md b/docs/tutorials/tips/sqlite-database.md index 131095958..50860c9cf 100644 --- a/docs/tutorials/tips/sqlite-database.md +++ b/docs/tutorials/tips/sqlite-database.md @@ -79,9 +79,10 @@ Here is a complete list of tables in Open-WebUI's SQLite database. The tables ar | 23 | note | Stores user-created notes and annotations | | 24 | oauth_session | Manages active OAuth sessions for users | | 25 | prompt | Stores templates and configurations for AI prompts | -| 26 | tag | Manages tags/labels for content categorization | -| 27 | tool | Stores configurations for system tools and integrations | -| 28 | user | Maintains user profiles and account information | +| 26 | prompt_history | Tracks version history and snapshots for prompts | +| 27 | tag | Manages tags/labels for content categorization | +| 28 | tool | Stores configurations for system tools and integrations | +| 29 | user | Maintains user profiles and account information | Note: there are two additional tables in Open-WebUI's SQLite database that are not related to Open-WebUI's core functionality, that have been excluded: @@ -446,14 +447,33 @@ The `access_control` fields expected structure: ## Prompt Table -| **Column Name** | **Data Type** | **Constraints** | **Description** | -| --------------- | ------------- | --------------- | ------------------------- | -| command | String | PRIMARY KEY | Unique command identifier | -| user_id | String | - | Prompt owner | -| title | Text | - | Prompt title | -| content | Text | - | Prompt content/template | -| timestamp | BigInteger | - | Last update timestamp | -| access_control | JSON | nullable | Access permissions | +| **Column Name** | **Data Type** | **Constraints** | **Description** | +| --------------- | ------------- | --------------- | ----------------------------------- | +| id | Text | PRIMARY KEY | Unique identifier (UUID) | +| command | String | UNIQUE, INDEX | Unique command identifier | +| user_id | String | NOT NULL | Owner of the prompt | +| name | Text | NOT NULL | Display name of the prompt | +| content | Text | NOT NULL | Prompt content/template | +| data | JSON | nullable | Additional prompt data | +| meta | JSON | nullable | Prompt metadata | +| access_control | JSON | nullable | Permission settings | +| is_active | Boolean | default=True | Active status | +| version_id | Text | nullable | Current version identifier | +| tags | JSON | nullable | Associated tags | +| created_at | BigInteger | NOT NULL | Creation timestamp | +| updated_at | BigInteger | NOT NULL | Last update timestamp | + +## Prompt History Table + +| **Column Name** | **Data Type** | **Constraints** | **Description** | +| --------------- | ------------- | ------------------------------ | --------------------------------- | +| id | Text | PRIMARY KEY | Unique identifier (UUID) | +| prompt_id | Text | FOREIGN KEY(prompt.id), INDEX | Reference to the prompt | +| parent_id | Text | nullable | Reference to the parent version | +| snapshot | JSON | NOT NULL | Snapshot of the prompt at version | +| user_id | Text | NOT NULL | User who created the version | +| commit_message | Text | nullable | Version commit message | +| created_at | BigInteger | NOT NULL | Creation timestamp | ## Tag Table @@ -524,6 +544,8 @@ erDiagram user ||--o{ memory : "owns" user ||--o{ model : "manages" user ||--o{ prompt : "creates" + user ||--o{ prompt_history : "creates" + prompt ||--o{ prompt_history : "has" user ||--o{ tag : "creates" user ||--o{ tool : "manages" user ||--o{ note : "owns" @@ -698,11 +720,26 @@ erDiagram } prompt { - string command PK + text id PK + string command string user_id FK - text title + text name text content + json data + json meta json access_control + boolean is_active + text version_id + json tags + } + + prompt_history { + text id PK + text prompt_id FK + text parent_id FK + json snapshot + text user_id FK + text commit_message } tag { From d4cb35adef36dd17a41dff507a543b9ee90c2df9 Mon Sep 17 00:00:00 2001 From: DrMelone <27028174+Classic298@users.noreply.github.com> Date: Tue, 27 Jan 2026 23:17:43 +0100 Subject: [PATCH 2/4] SECURITY WARNINGS tools and plugins --- docs/features/pipelines/index.mdx | 4 +-- docs/features/plugin/functions/index.mdx | 6 ++++ docs/features/plugin/index.mdx | 22 ++++++++++++ docs/security.mdx | 44 ++++++++++++++++++++++++ 4 files changed, 74 insertions(+), 2 deletions(-) diff --git a/docs/features/pipelines/index.mdx b/docs/features/pipelines/index.mdx index 354ba4b62..d27376ae1 100644 --- a/docs/features/pipelines/index.mdx +++ b/docs/features/pipelines/index.mdx @@ -53,9 +53,9 @@ Integrating Pipelines with any OpenAI API-compatible UI client is simple. Launch ## ⚡ Quick Start with Docker -:::warning +:::danger ⚠️ Security Warning -Pipelines are a plugin system with arbitrary code execution — **don't fetch random pipelines from sources you don't trust**. +Pipelines are a plugin system with arbitrary code execution — **don't fetch random pipelines from sources you don't trust**. A malicious Pipeline could access your file system, exfiltrate data, mine cryptocurrency, or compromise your system. Always review Pipeline source code before installing. See the [Security Policy](/security) for more details. ::: diff --git a/docs/features/plugin/functions/index.mdx b/docs/features/plugin/functions/index.mdx index e3f719a76..f6548f42b 100644 --- a/docs/features/plugin/functions/index.mdx +++ b/docs/features/plugin/functions/index.mdx @@ -11,6 +11,12 @@ Unlike external tools that may require complex integrations, **Functions are bui Think of Functions as **modular building blocks** that let you enhance how the WebUI works, tailored exactly to what you need. They’re lightweight, highly customizable, and written in **pure Python**, so you have the freedom to create anything—from new AI-powered workflows to integrations with anything you use, like Google Search or Home Assistant. +:::danger ⚠️ Security Warning + +**Functions execute arbitrary Python code on your server.** Only install Functions from trusted sources. Before importing any Function, review its source code to understand what it does. A malicious Function could access your file system, exfiltrate data, or compromise your system. See the [Security Policy](/security) for more details. + +::: + --- ## 🏗️ Types of Functions diff --git a/docs/features/plugin/index.mdx b/docs/features/plugin/index.mdx index f8e6dd434..20842e2d6 100644 --- a/docs/features/plugin/index.mdx +++ b/docs/features/plugin/index.mdx @@ -17,6 +17,28 @@ Getting started with Tools and Functions is easy because everything’s already ## What are "Tools" and "Functions"? +--- + +:::danger ⚠️ Critical Security Warning + +**Tools, Functions, Pipes, Filters, and Pipelines execute arbitrary Python code on your server.** This is by design—it's what makes them powerful. However, this also means: + +1. **Only install from trusted sources.** Never import Tools or Functions from unknown or untrusted sources. Malicious code can compromise your entire system. + +2. **Review code before importing.** Before installing any community Tool or Function, review its source code. If you don't understand what it does, don't install it. + +3. **Protect your data directory.** The `data` directory (mounted at `/app/backend/data` in Docker) contains your database, configurations, and cached Tools/Functions. If an attacker gains write access to this directory, they can inject malicious code that will execute on your server. + +4. **Restrict Workspace access.** Only trusted administrators should have permission to create, import, or modify Tools and Functions. Regular users should **not** have Workspace access unless explicitly required. + +5. **Audit installed plugins regularly.** Periodically review the Tools and Functions installed in your instance via **Workspace → Tools** and **Admin Panel → Functions**. + +**What could go wrong?** A malicious Tool or Function could exfiltrate data, install malware, mine cryptocurrency, pivot to other systems on your network, or corrupt your instance. + +::: + +--- + Let's start by thinking of **Open WebUI** as a "base" software that can do many tasks related to using Large Language Models (LLMs). But sometimes, you need extra features or abilities that don't come *out of the box*—this is where **tools** and **functions** come into play. ### Tools diff --git a/docs/security.mdx b/docs/security.mdx index b57dcd72f..35d30100b 100644 --- a/docs/security.mdx +++ b/docs/security.mdx @@ -85,6 +85,50 @@ If your concern does not meet the vulnerability requirements outlined above, is Examples of non-vulnerability, still security-related concerns include suggestions for better default configuration values, security hardening recommendations, deployment best practices guidance, unclear configuration instructions, need for additional security documentation, feature requests for optional security enhancements (2FA, audit logging, etc.), and general security questions about production deployment. Please use the adequate channel for your specific issue. +## Tools, Functions, and Pipelines Security + +Open WebUI provides powerful extensibility through **Tools**, **Functions** (including Pipes, Filters, and Actions), and **Pipelines**. These features allow you to extend Open WebUI's capabilities with custom Python code. However, this power comes with security responsibilities. + +:::warning + +**Tools, Functions, and Pipelines execute arbitrary Python code on your server.** This is intentional—it's what makes them powerful. However, this means they have the same level of access as the Open WebUI backend process itself. + +::: + +### Security Implications + +When you install a Tool, Function, or Pipeline, you are granting it the ability to: + +- **Access the file system** — read or write any files the backend process can access +- **Make network requests** — connect to external services, potentially exfiltrating data +- **Execute system commands** — run shell commands via subprocess +- **Access environment variables** — read API keys, secrets, and configuration +- **Modify the database** — access or alter stored data +- **Consume compute resources** — run CPU-intensive operations + +### Best Practices + +| Practice | Description | +|----------|-------------| +| **Only install from trusted sources** | Only use Tools/Functions from the official community library or sources you trust | +| **Review code before installing** | Read and understand what a Tool/Function does before importing it | +| **Restrict Workspace access** | Only grant Workspace permissions to trusted administrators | +| **Audit installed plugins** | Regularly review installed Tools (Workspace → Tools) and Functions (Admin Panel → Functions) | +| **Protect your data directory** | The `/app/backend/data` directory contains your database and cached plugins—protect it from unauthorized access | +| **Monitor resource usage** | Watch for unexpected CPU spikes that could indicate cryptomining or other abuse | +| **Use official Docker images** | Only pull from `ghcr.io/open-webui/open-webui`—unofficial images may be compromised | + +### What Is NOT a Vulnerability + +The following scenarios are **not** considered vulnerabilities because they require administrator action: + +- An admin installing a malicious Tool or Function +- An admin granting Workspace access to an untrusted user +- An admin importing code from an untrusted source +- An attacker with write access to the data volume injecting malicious plugins + +These scenarios represent **admin negligence** or **environment compromise**, not vulnerabilities in Open WebUI itself. See [Rule #10 in our Security Policy](https://github.com/open-webui/open-webui/security) for details. + ## Product Security Process - Internal and periodic external reviews of our architecture and pipelines From df2dbf6edd614cfe05ec565de78a7b26fa030217 Mon Sep 17 00:00:00 2001 From: DrMelone <27028174+Classic298@users.noreply.github.com> Date: Tue, 27 Jan 2026 23:19:11 +0100 Subject: [PATCH 3/4] playground --- docs/features/index.mdx | 2 +- docs/security.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/features/index.mdx b/docs/features/index.mdx index d757b5673..3aeceba0e 100644 --- a/docs/features/index.mdx +++ b/docs/features/index.mdx @@ -276,7 +276,7 @@ import { TopBanners } from "@site/src/components/TopBanners"; - 🍻 **TavernAI Character Card Integration**: Experience enhanced visual storytelling with TavernAI Character Card Integration in our model builder. Users can seamlessly incorporate TavernAI character card PNGs directly into their model files, creating a more immersive and engaging user experience. -- 🎲 **Model Playground (Beta)**: Try out models with the model playground area (`beta`), which enables users to test and explore model capabilities and parameters with ease in a sandbox environment before deployment in a live chat environment. +- 🎲 **Model Playground (Beta)**: Try out models with the model playground area (`beta`), which enables users to test and explore model capabilities and parameters with ease in a sandbox environment before deployment in a live chat environment. Export your playground conversations in JSON format (compatible with Open WebUI chat import) or as plain text for easy sharing and documentation. --- diff --git a/docs/security.mdx b/docs/security.mdx index 35d30100b..dcf5bc7ad 100644 --- a/docs/security.mdx +++ b/docs/security.mdx @@ -127,7 +127,7 @@ The following scenarios are **not** considered vulnerabilities because they requ - An admin importing code from an untrusted source - An attacker with write access to the data volume injecting malicious plugins -These scenarios represent **admin negligence** or **environment compromise**, not vulnerabilities in Open WebUI itself. See [Rule #10 in our Security Policy](https://github.com/open-webui/open-webui/security) for details. +These scenarios represent **admin negligence** or **environment compromise**, not vulnerabilities in Open WebUI itself. See [our Security Policy](https://github.com/open-webui/open-webui/security) for details. ## Product Security Process From 904f4ae079d1a1c7bcab80adc5a6ba0d5c4b42c9 Mon Sep 17 00:00:00 2001 From: DrMelone <27028174+Classic298@users.noreply.github.com> Date: Thu, 29 Jan 2026 17:51:41 +0100 Subject: [PATCH 4/4] REDIS --- docs/getting-started/env-configuration.mdx | 18 ++++++++++++++++++ docs/tutorials/integrations/redis.md | 9 +++++++++ 2 files changed, 27 insertions(+) diff --git a/docs/getting-started/env-configuration.mdx b/docs/getting-started/env-configuration.mdx index ddc65bfd9..c0a7cada3 100644 --- a/docs/getting-started/env-configuration.mdx +++ b/docs/getting-started/env-configuration.mdx @@ -5859,6 +5859,24 @@ If `WEBSOCKET_REDIS_OPTIONS` is not set, `REDIS_SOCKET_CONNECT_TIMEOUT` will be ::: +#### `REDIS_SENTINEL_MAX_RETRY_COUNT` + +- Type: `int` +- Default: `2` +- Description: Sets the maximum number of retries for Redis operations when using Sentinel fail-over. This is a critical high-availability setting that allows the application time for master election and promotion. If your Sentinel `down-after-milliseconds` is high, you should tune this value accordingly to ensure the service survives the failover window without dropping connections. + +#### `REDIS_RECONNECT_DELAY` + +- Type: `float` (milliseconds) +- Default: None +- Description: Optional reconnect delay in milliseconds for Redis Sentinel retry logic, applied consistently across both synchronous and asynchronous Redis operations. This improves stability during Sentinel failover by preventing tight retry loops. When unset or invalid, retry behavior remains unchanged. + +#### `WEBSOCKET_REDIS_LOCK_TIMEOUT` + +- Type: `int` +- Default: `60` +- Description: Sets the timeout in seconds for Redis locks used by the websocket manager. + #### `ENABLE_WEBSOCKET_SUPPORT` - Type: `bool` diff --git a/docs/tutorials/integrations/redis.md b/docs/tutorials/integrations/redis.md index 2e48e1daa..47d49577f 100644 --- a/docs/tutorials/integrations/redis.md +++ b/docs/tutorials/integrations/redis.md @@ -215,6 +215,13 @@ WEBSOCKET_REDIS_OPTIONS='{"socket_connect_timeout": 5}' ::: +#### Retry and Reconnect Logic + +To enhance resilience during Sentinel failover—the window when a new master is being elected and promoted—you can configure retry behavior to prevent the application from exhausting its reconnection attempts too quickly. + +- **`REDIS_SENTINEL_MAX_RETRY_COUNT`**: Sets the maximum number of retries for Redis operations when using Sentinel (Default: `2`). +- **`REDIS_RECONNECT_DELAY`**: Adds an optional delay in **milliseconds** between retry attempts (e.g., `REDIS_RECONNECT_DELAY=500`). This prevents tight retry loops that may otherwise overwhelm the event loop or block the application before a new master is ready. + ### Complete Example Configuration Here's a complete example showing all Redis-related environment variables: @@ -229,6 +236,8 @@ WEBSOCKET_REDIS_URL="redis://redis-valkey:6379/1" # Recommended for Sentinel deployments (prevents failover hangs) REDIS_SOCKET_CONNECT_TIMEOUT=5 +REDIS_SENTINEL_MAX_RETRY_COUNT=5 +REDIS_RECONNECT_DELAY=1000 # Optional REDIS_KEY_PREFIX="open-webui"