issue: Websearch in Model Configuration overridden by User-Settings #99

Closed
opened 2026-02-15 17:15:00 -05:00 by yindo · 0 comments
Owner

Originally created by @Maximilian-Pichler on GitHub (Sep 2, 2025).

Description:

We have encountered an issue related to model configuration and tool access permissions.

Steps to Reproduce:

  1. In our workspace, we created a custom model and explicitly disabled the Websearch for most models, to prevent scenarios where users might upload internal documents whose content could be sent to our external search API provider (not trusted for internal data).
  2. Our intended setup is:
    • For models with Websearch enabled, file upload is disabled.
    • For models with file upload enabled, Websearch is disabled.

Issue:
If a user sets the user-setting to "always use websearch," this setting overrides model-specific tool restrictions. As a result, Websearch is used even with custom models that should not have access to this tool. This poses a potential security risk, as internal documents could be exposed to third parties via the websearch API.

Expected Behavior:
Model-level restrictions on tool access (such as Websearch) should not be bypassed by global user settings.

Actual Behavior:
Global "always use websearch" setting overrides the custom model's configuration, enabling Websearch where it should be explicitly disabled.

Impact:
This creates a security concern in our environment, as it may lead to unintended exposure of sensitive internal data.

Notes:
It's unclear if this behavior is intentional, but it was unexpected from our point of view.

Originally created by @Maximilian-Pichler on GitHub (Sep 2, 2025). **Description:** We have encountered an issue related to model configuration and tool access permissions. **Steps to Reproduce:** 1. In our workspace, we created a custom model and explicitly disabled the Websearch for most models, to prevent scenarios where users might upload internal documents whose content could be sent to our external search API provider (not trusted for internal data). 2. Our intended setup is: - For models with Websearch enabled, file upload is disabled. - For models with file upload enabled, Websearch is disabled. **Issue:** If a user sets the user-setting to "always use websearch," this setting overrides model-specific tool restrictions. As a result, Websearch is used even with custom models that should not have access to this tool. This poses a potential security risk, as internal documents could be exposed to third parties via the websearch API. **Expected Behavior:** Model-level restrictions on tool access (such as Websearch) should not be bypassed by global user settings. **Actual Behavior:** Global "always use websearch" setting overrides the custom model's configuration, enabling Websearch where it should be explicitly disabled. **Impact:** This creates a security concern in our environment, as it may lead to unintended exposure of sensitive internal data. **Notes:** It's unclear if this behavior is intentional, but it was unexpected from our point of view.
yindo closed this issue 2026-02-15 17:15:00 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: open-webui/docs#99