Pull Request Explorer

Summary

Correct comment in knowledge router

Fixes a comment typo in the knowledge router, improving code clarity.

Health Assessment

• • Quick fix with minimal changes, merged within 5 hours, indicating smooth review process.

Summary

Refactor: remove unused prompts command endpoint

Eliminates a dead API route, reducing code complexity and potential security surface.

Health Assessment

• • The PR cleans up unused backend logic, simplifying maintenance and lowering attack surface.

Summary

Fix blocking transcode_audio_to_mp3

Runs audio transcoding in a separate thread to prevent UI blocking during TTS, improving responsiveness.

Health Assessment

• • Quick, single-commit fix merged within a day, indicating low complexity and minimal risk.

Summary

Disable redirect following in OAuth picture fetch

Prevents SSRF by ensuring redirects are not followed during OAuth picture retrieval, protecting internal resources. This fix addresses a security vulnerability that could allow attackers to bypass URL validation.

Health Assessment

• • The PR had a small code change but a long cycle time of 80 hours, indicating potential review delays or complexity in addressing the SSRF issue.

Summary

Fix DNS rebinding SSRF vulnerability

Mitigates DNS rebinding attack by ensuring consistent DNS resolution, reducing risk of internal network exposure.

Health Assessment

• • The PR addressed a critical DNS rebinding vulnerability with minimal code changes, but the review cycle was relatively long, indicating potential delays in security review.

Summary

Fix access_type handling in shared-chat file authorization

Ensures that file access checks respect the requested access type, preventing read‑only users from modifying or deleting files in shared chats.

Health Assessment

• • Minimal change, quick resolution, no rework.

Summary

Fix missing [DONE] termination for pipe streams

Ensures streaming responses correctly signal completion, improving client reliability and preventing hanging streams.

Health Assessment

• • The PR took over four days to merge, indicating a slow review process, but the change was small and straightforward.

Summary

Refactor: Log expected failures as warnings

Reduces log noise by treating expected fetch, transcript, and tool-server failures as warnings, improving monitoring clarity.

Health Assessment

• • Fast turnaround with minimal changes; no review delays or blockers.

Summary

Fix URL validation for Playwright loader

This fix validates every navigation and redirect in the Playwright loader, preventing public URLs from redirecting into internal network addresses. It enhances security by blocking potentially malicious redirects.

Health Assessment

• • The PR took over four days to merge, indicating a slow review process, but the change was small and straightforward.

Summary

Remove dead generateFollowUps wrapper

Eliminates unused frontend wrapper for follow-up generation, cleaning code and reducing maintenance.

Health Assessment

• • PR made a small, focused change that was merged quickly after review, indicating low complexity and risk.

Summary

Fix calendar write access check on event update

Ensures users cannot move events into calendars they don't own, preventing unauthorized data manipulation.

Health Assessment

• • Single small change merged after ~4 days, minimal review friction.

Summary

Fix CLI Bing search argument mismatch

Corrects argument passing for Bing search CLI, preventing runtime errors and ensuring proper configuration via environment variables.

Health Assessment

• • Single small fix with minimal changes, merged after a few days, indicating low complexity and low risk.

Summary

Remove unused DELETE /chats/{id}/tags/all endpoint

Eliminates a dead API endpoint and its frontend wrapper, reducing code complexity and potential security surface.

Health Assessment

• • Quick cleanup of dead code, improving maintainability and reducing potential attack surface.

Summary

Remove unused markdown rendering endpoint

Eliminates redundant server‑side markdown rendering, reducing codebase size and maintenance overhead.

Health Assessment

• • PR removed dead code with minimal changes and merged quickly with no review friction.

Summary

Remove unused GET /evaluations/feedbacks/all endpoint

Eliminates a redundant endpoint that posed an OOM risk for admins, improving system stability and reducing unnecessary code maintenance. The change removes dead frontend wrapper and unused imports, streamlining the codebase.

Health Assessment

• • The PR performed a small refactor to remove an unused endpoint, reducing potential OOM risk and cleaning up dead code. The change was straightforward and merged after a few days.

Summary

Refactor: remove dead frontend API wrappers

Cleaned up unused API wrappers, reducing codebase size and potential confusion, improving maintainability.

Health Assessment

• • Single commit refactor with no review comments; large deletion volume suggests significant code cleanup but low review friction.

Summary

Update Irish translation strings

Adds and refines Irish language strings, improving localization for Irish-speaking users.

Health Assessment

• • Quick turnaround with minimal changes, indicating a straightforward localization update.

Summary

Fix workspace skills gating in sidebar and workspace index

Ensures users with only workspace.skills permission see the Workspace menu and can access the workspace directly, improving access control and user experience.

Health Assessment

• • Quick, minimal change that resolved a permission gating issue, resulting in a smooth merge within 4 hours.

Summary

Add emoji picker to rich text toolbar

Users can now insert emojis directly in rich text input, improving chat experience.

Health Assessment

• • Quick single-commit PR with minimal changes, merged within 18 hours, indicating smooth review and low complexity.

Summary

Fix composite primary key in migration

Corrects migration errors that caused database integrity failures, ensuring reliable deployment and data consistency for legacy tables.

Health Assessment

• • Quick, single-file fix with minimal changes and no review iterations, indicating a straightforward bug resolution.

Summary

Update SECURITY.md

Updated security documentation to reflect current policies and CLA requirements.

Health Assessment

• • Quick documentation update with minimal review.

Summary

Update Russian translations

Adds missing and refined Russian language strings, improving localization and user experience for Russian-speaking users.

Health Assessment

• • Fast cycle time of 4 hours and a single file change indicate a low-risk, straightforward localization update.

Summary

Fix default WEB_LOADER_ENGINE in start.sh

Prevents startup crashes by ensuring optional env variable has a default, improving reliability for deployments without explicit loader engine settings.

Health Assessment

• • Single small change, quick cycle time, no review friction, minimal risk.

Summary

Enforce direct tool server permission on chat completions

Prevents users from bypassing admin‑set tool server restrictions, tightening security for chat‑completion requests.

Health Assessment

• • Quick fix with minimal changes, resolved within the same day, indicating efficient review and low complexity.

Summary

Validate folder ownership on chat creation

Ensures chats are linked only to the user's own folders, preventing accidental cross-user references and maintaining database integrity.

Health Assessment

• • Single commit, straightforward validation fix, minimal risk.

Summary

Update Catalan translation file

Adds updated Catalan translations to improve localization for Catalan-speaking users.

Health Assessment

• • Simple translation update with minimal code changes, merged within 57 hours.

Summary

Fix Danish translation for Authentication

Corrects the Danish translation for the Authentication label, improving user experience for Danish-speaking users.

Health Assessment

• • Quick fix with minimal changes, merged within 10 hours, indicating efficient review and low risk.

Summary

i18n: Update Swedish (sv-SE) translation

Adds Swedish translations for all UI elements, enhancing localization for Swedish-speaking users.

Health Assessment

• • The PR was merged within 3.8 hours with a single file change, indicating a low-risk, high-efficiency localization update.

Summary

Update German translations

Adds missing German translation strings for UI, improving localization for German-speaking users. Ensures consistent UI labels and time-relative messages.

Health Assessment

• • Quick turnaround with minimal changes, indicating a straightforward fix with low risk.

Summary

Update es-ES translation to v0.9.5

Adds Spanish (Spain) translations for new UI strings, improving localization for Spanish-speaking users.

Health Assessment

• • The PR was merged within 2.4 hours with a single commit and no review comments, indicating a straightforward change with minimal risk.

Summary

Health Assessment

Summary

Prevent user_id spoofing in feedback endpoint

Stops authenticated users from forging feedback attribution, protecting leaderboard integrity and preventing abuse of the feedback system.

Health Assessment

• • Quick fix with minimal changes, merged within a day, indicating low complexity and low risk.

Summary

Prevent redirect-based SSRF and enforce collection write access

This fix stops malicious redirects from causing internal SSRF attacks and ensures only authorized users can write to collections, improving security and data integrity.

Health Assessment

• • Quick fix with minimal changes, merged within 18 hours, indicating low complexity and high confidence in security improvement.

Summary

Gate tool updates behind workspace.tools

This change tightens security by requiring workspace.tools permission for tool content updates, preventing unauthorized code execution and aligning update permissions with creation permissions. It protects the system from privilege escalation via write-granted users.

Health Assessment

• • Quick fix with minimal changes, no review needed, merged within a day.

Summary

Enforce message ownership in group/DM channel endpoints

Fixes a security flaw that allowed group/DM channel members to overwrite or delete other members' messages, ensuring only the original author or admins can modify messages.

Health Assessment

• • Quick fix with minimal changes, resolved a critical security issue in a single commit, no back‑and‑forth.

Summary

Fix pin permission for standard channel messages

Ensures only users with write access can pin or unpin messages, preventing unauthorized modifications.

Health Assessment

• • Quick, single-file change with no review iterations, indicating low complexity and risk.

Summary

Add validate_url() to get_image_data() for security hardening

Adds missing URL validation to image data retrieval to prevent SSRF vulnerabilities, improving system security.

Health Assessment

• • Quick fix with minimal changes, merged within a day, indicating low complexity and high confidence in security improvement.

Summary

Fix model params exposure on per-id endpoint

This change removes sensitive model parameters from the per-id API response for users without write access, protecting confidential prompts and ensuring only authorized curators can view full model details.

Health Assessment

• • Quick fix with minimal changes, no rework, fast review and merge.

Summary

Fix SSRF bypass by rejecting parser‑confusing chars

Prevents attackers from exploiting URL parsing differences to reach internal resources, strengthening security.

Health Assessment

• • Quick fix with minimal changes, resolved within hours, indicating efficient review and low complexity.

Summary

Add pt-BR translations for new UI items

Adds Brazilian Portuguese translations for newly added UI elements and improves consistency of existing strings, enhancing clarity for Portuguese-speaking users.

Health Assessment

• • The PR was merged within 22 hours with a single commit and no review comments, indicating a smooth, low-risk localization update.

Summary

Remove dead code status endpoint

Eliminates an unused, insecure endpoint that exposed internal configuration, improving security and reducing code surface.

Health Assessment

• • Quick, single-commit PR with minimal changes, merged within minutes, indicating low complexity and low risk.

Summary

Gate public sharing of skills on create/update

Ensures that skill sharing permissions are consistently enforced, preventing unauthorized public access when creating or updating skills.

Health Assessment

• • Single commit, minimal changes, merged within 1 hour, no review comments.

Summary

Gate public sharing of calendars behind permission

Ensures calendar sharing respects the sharing.public_calendars permission, preventing unauthorized public access to calendar events.

Health Assessment

• • Quick 2‑hour cycle with a single commit and minimal code changes indicates a straightforward bug fix with low risk and minimal review friction.

Summary

Prevent redirect-based SSRF in web-fetch and image-load call sites

Fixes a security vulnerability that allowed authenticated users to trigger SSRF by following redirects to internal addresses. The change disables redirects in HTTP clients used for web fetching and image loading, ensuring URLs are validated against private IP block lists.

Health Assessment

• • The PR was merged immediately after a single commit, indicating a straightforward fix with minimal review. The change addresses a critical SSRF vulnerability by disabling redirects in web fetch and image load operations.

Summary

Fix notes is_pinned TypeError on create/get

Corrects errors caused by mismatched is_pinned field between Pydantic schema and SQLAlchemy model, ensuring note creation and retrieval work correctly.

Health Assessment

• • Quick fix with minimal changes, merged within 2 hours, indicating low complexity and high confidence.

Summary

Health Assessment

Summary

Health Assessment

Summary

Update project changelog

Adds recent changes to the changelog, documenting updates for users.

Health Assessment

• • The PR added 92 lines to the changelog over a 107‑hour cycle, with multiple small commits indicating incremental updates.
• • The documentation-only change had low risk and minimal friction.

Summary

Fix image URL validation and signout method

Improves security by validating image URLs, enforcing POST-only signout, and providing optional external image forwarding via config.

Health Assessment

• • The PR involved moderate changes across backend and frontend, with a single review cycle and a 50‑hour turnaround, indicating a smooth but not rushed process.

Summary

Add Tagalog (Filipino) translation

Adds Tagalog language support to Open WebUI, expanding accessibility for Filipino users.

Health Assessment

• • The PR added a large translation file with minimal code changes, received a quick review and merged within a week, indicating a smooth and low-risk process.