github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-06-03 07:24:59 -05:00
Code Issues 2.4k Packages Projects Releases 129 Wiki Activity

[GH-ISSUE #20604] issue: Missing Access-Control-Allow-Origin on users Direct Connections - Verification or loading models fails on GpuStack #89974

New Issue
Closed
opened 2026-05-15 15:02:00 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-05-15 15:02:00 -05:00
Owner
Copy Link

Originally created by @axelhahn on GitHub (Jan 12, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/20604

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.72

Ollama Version (if applicable)

No response

Operating System

Manjaro

Browser (if applicable)

Firefox 146

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

I setup CORS_ALLOW_ORIGIN to access GpuStack:
CORS_ALLOW_ORIGIN=http://localhost:3000;http://127.0.0.1:3000;https://gpustack.example.com

Adding the connection in admin setup works.
I expect that it works as a connection in the user setup as well.

Actual Behavior

If I setup a connection to a GpuStack instance (OpenAI compatible) in the user settings then the verification button fails "OpenAI: Network Problem".

On the page for connections is a notice
Connect to your own OpenAI compatible API endpoints.
CORS must be properly configured by the provider to allow requests from Open WebUI.

The CORS_ALLOW_ORIGIN is not applied here - but it is applied when adding the connection as admin.

Steps to Reproduce

  • An OpenAI / GpuStack instance (it is not in my environment and I don't maintain it nor have access on system level to it)
  • Install docker + docker-compose
  • Create a docker-compose.yml (see below)
  • Startup container docker-compouse up
  • Create a user and login
  • admin panel -> setup -> connections -> press "+" to add openAI API
  • enter url of a gpustack instance and api key
  • press verify button -> in docker output is a 200 OK for "POST /openai/verify HTTP/1.1" 200
  • cancel connection setup
  • admin panel -> setup -> connections -> enable "Direct Connections"
  • user settings -> connections -> press "+" next to "Manage Direct Connections"
  • enter url of a gpustack instance and api key
  • press F12 for Browser Developer console -> tab "Console
  • Press "verify" button -> Network error occurs "OpenAI Network problem" as result of failed OPTIONS request with status 405 because of missing Access-Control-Allow-Origin
services:

  open-webui:
    build:
      context: .
      dockerfile: Dockerfile
    image: ghcr.io/open-webui/open-webui:main
    container_name: open-webui
    volumes:
      - open-webui:/app/backend/data
    # depends_on:
    #   - ollama
    ports:
      - ${OPEN_WEBUI_PORT-3000}:8080
    environment:
      - 'TZ=Europe/Zurich'

      # # https://docs.openwebui.com/getting-started/env-configuration/
      - 'CORS_ALLOW_ORIGIN=http://localhost:3000;http://127.0.0.1:3000;https://gpustack.example.com'
      - 'WEBUI_SECRET_KEY=1234'
      - 'ENABLE_PERSISTENT_CONFIG=true'
      # - 'WEBUI_URL=""'
      # Cookie security settings for HTTPS
      # Disable if you do not use HTTPS
      - 'WEBUI_SESSION_COOKIE_SECURE=true'
      - 'WEBUI_AUTH_COOKIE_SECURE=true'

      - 'ENABLE_WEBSOCKET_SUPPORT=true'
      - 'DEFAULT_USER_ROLE=user'
      - 'GLOBAL_LOG_LEVEL=debug'
      - 'ENABLE_OPENAI_API=true'
      - 'OFFLINE_MODE=false'

      # LDAP Settings for other users
      # skipped

    extra_hosts:
      - host.docker.internal:host-gateway
    restart: unless-stopped

volumes:
  # ollama: {}
  open-webui: {}

Logs & Screenshots

This works:

The OpenAI connection setup in admin panel makes a connection via openWebUI and respects CORS_ALLOW_ORIGIN value

open-webui | 2026-01-12 12:02:01.064 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 192.168.16.1:53480 - "POST /openai/verify HTTP/1.1" 200

This doesn't

The Direct Connection in the user setup ignors CORS_ALLOW_ORIGIN.
When pressing verify:

Image

The browser console shows

Image

The failed OPTIONS request is the result of HTTP/1.1 405 Method Not Allowed
Reason is the missing Access-Control-Allow-Origin in the request header.

Image

I can reproduced the behavior with a curl command

curl -I -X OPTIONS https://gpustack.example.com/v1/models
HTTP/1.1 405 Method Not Allowed
...

When adding the request header "Access-Control-Allow-Origin":

curl -I -X OPTIONS https://gpustack.example.com/v1/models -h "Access-Control-Allow-Origin: 'https://example.com/'"
Unknown category provided, here is a list of all categories:

 auth        Authentication methods
 connection  Manage connections
 curl        The command line tool itself
...

--> this works.

The connection can be saved even if the verification failed.
When going back to the home page the models won't be loaded because of the same problem (that can be seen as 405 error in the console).

The header "Access-Control-Allow-Origin:" must be added for Direct connections for Verify option and loading the models like it is handled when adding the connection globally via admin panel. Then OpenWebUI can be used by multiple users using their individual API key.

Additional Information

No response

Originally created by @axelhahn on GitHub (Jan 12, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/20604 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.72 ### Ollama Version (if applicable) _No response_ ### Operating System Manjaro ### Browser (if applicable) Firefox 146 ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior I setup CORS_ALLOW_ORIGIN to access GpuStack: `CORS_ALLOW_ORIGIN=http://localhost:3000;http://127.0.0.1:3000;https://gpustack.example.com` Adding the connection in admin setup works. I expect that it works as a connection in the user setup as well. ### Actual Behavior If I setup a connection to a GpuStack instance (OpenAI compatible) in the user settings then the verification button fails "OpenAI: Network Problem". On the page for connections is a notice Connect to your own OpenAI compatible API endpoints. CORS must be properly configured by the provider to allow requests from Open WebUI. The CORS_ALLOW_ORIGIN is not applied here - but it is applied when adding the connection as admin. ### Steps to Reproduce * An OpenAI / GpuStack instance (it is not in my environment and I don't maintain it nor have access on system level to it) * Install docker + docker-compose * Create a docker-compose.yml (see below) * Startup container `docker-compouse up` * Create a user and login * admin panel -> setup -> connections -> press "+" to add openAI API * enter url of a gpustack instance and api key * press verify button -> in docker output is a 200 OK for `"POST /openai/verify HTTP/1.1" 200` * cancel connection setup * admin panel -> setup -> connections -> enable "Direct Connections" * user settings -> connections -> press "+" next to "Manage Direct Connections" * enter url of a gpustack instance and api key * press F12 for Browser Developer console -> tab "Console * Press "verify" button -> Network error occurs "OpenAI Network problem" as result of failed OPTIONS request with status 405 because of missing Access-Control-Allow-Origin ```yml services: open-webui: build: context: . dockerfile: Dockerfile image: ghcr.io/open-webui/open-webui:main container_name: open-webui volumes: - open-webui:/app/backend/data # depends_on: # - ollama ports: - ${OPEN_WEBUI_PORT-3000}:8080 environment: - 'TZ=Europe/Zurich' # # https://docs.openwebui.com/getting-started/env-configuration/ - 'CORS_ALLOW_ORIGIN=http://localhost:3000;http://127.0.0.1:3000;https://gpustack.example.com' - 'WEBUI_SECRET_KEY=1234' - 'ENABLE_PERSISTENT_CONFIG=true' # - 'WEBUI_URL=""' # Cookie security settings for HTTPS # Disable if you do not use HTTPS - 'WEBUI_SESSION_COOKIE_SECURE=true' - 'WEBUI_AUTH_COOKIE_SECURE=true' - 'ENABLE_WEBSOCKET_SUPPORT=true' - 'DEFAULT_USER_ROLE=user' - 'GLOBAL_LOG_LEVEL=debug' - 'ENABLE_OPENAI_API=true' - 'OFFLINE_MODE=false' # LDAP Settings for other users # skipped extra_hosts: - host.docker.internal:host-gateway restart: unless-stopped volumes: # ollama: {} open-webui: {} ``` ### Logs & Screenshots **This works:** The OpenAI connection setup in admin panel makes a connection via openWebUI and respects CORS_ALLOW_ORIGIN value `open-webui | 2026-01-12 12:02:01.064 | INFO | uvicorn.protocols.http.httptools_impl:send:483 - 192.168.16.1:53480 - "POST /openai/verify HTTP/1.1" 200` **This doesn't** The Direct Connection in the user setup ignors CORS_ALLOW_ORIGIN. When pressing verify: <img width="1164" height="692" alt="Image" src="https://github.com/user-attachments/assets/03da917d-8731-407b-9615-366ba5c8c33b" /> The browser console shows <img width="1149" height="174" alt="Image" src="https://github.com/user-attachments/assets/72be6207-6a67-46a8-9563-3a0aad098bd1" /> The failed OPTIONS request is the result of `HTTP/1.1 405 Method Not Allowed` Reason is the missing `Access-Control-Allow-Origin` in the request header. <img width="703" height="1013" alt="Image" src="https://github.com/user-attachments/assets/bf0eccd2-11ac-4656-b294-474461e106b2" /> I can reproduced the behavior with a curl command ``` curl -I -X OPTIONS https://gpustack.example.com/v1/models HTTP/1.1 405 Method Not Allowed ... ``` When adding the request header "Access-Control-Allow-Origin": ``` curl -I -X OPTIONS https://gpustack.example.com/v1/models -h "Access-Control-Allow-Origin: 'https://example.com/'" Unknown category provided, here is a list of all categories: auth Authentication methods connection Manage connections curl The command line tool itself ... ``` --> this works. The connection can be saved even if the verification failed. When going back to the home page the models won't be loaded because of the same problem (that can be seen as 405 error in the console). The header "Access-Control-Allow-Origin:" must be added for Direct connections for Verify option and loading the models like it is handled when adding the connection globally via admin panel. Then OpenWebUI can be used by multiple users using their individual API key. ### Additional Information _No response_
GiteaMirror added the bug label 2026-05-15 15:02:00 -05:00
GiteaMirror commented 2026-05-15 15:02:03 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Jan 12, 2026):

Provider should support CORS.

<!-- gh-comment-id:3739444202 --> @tjbck commented on GitHub (Jan 12, 2026): Provider should support CORS.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#89974
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?