diff --git a/iac/ecs.tf b/iac/ecs.tf
index 1ecf8b7da7..5deb79e17f 100644
--- a/iac/ecs.tf
+++ b/iac/ecs.tf
@@ -80,6 +80,13 @@ resource "aws_ecs_task_definition" "webui_scaled" {
   execution_role_arn       = aws_iam_role.openwebui_execution_role.arn
   task_role_arn           = aws_iam_role.openwebui_execution_role.arn
 
+  # Ensure secret versions exist before task definition is created
+  # This prevents tasks from failing due to missing AWSCURRENT staging label
+  depends_on = [
+    aws_secretsmanager_secret_version.redis_connection,
+    aws_secretsmanager_secret_version.webui_shared_secret
+  ]
+
   container_definitions = jsonencode([
     {
       name      = "openwebui"
@@ -381,8 +388,13 @@ resource "aws_ecs_service" "webui_scaled" {
     container_port   = 8080
   }
 
-  # Wait for target group to be ready
-  depends_on = [aws_lb_listener.webui_listener]
+  # Wait for target group and secret versions to be ready
+  # This ensures secrets have AWSCURRENT staging label before tasks start
+  depends_on = [
+    aws_lb_listener.webui_listener,
+    aws_secretsmanager_secret_version.redis_connection,
+    aws_secretsmanager_secret_version.webui_shared_secret
+  ]
 
   # Enable deployment circuit breaker
   deployment_controller {
diff --git a/iac/variables.tf b/iac/variables.tf
index 2494c2b77d..e06bf5a136 100644
--- a/iac/variables.tf
+++ b/iac/variables.tf
@@ -55,7 +55,7 @@ variable "task_family_name" {
 variable "container_image" {
   description = "Container image URI"
   type        = string
-  default     = "908027381725.dkr.ecr.us-east-1.amazonaws.com/open-webui/custom:v0.6.36"
+  default     = "908027381725.dkr.ecr.us-east-1.amazonaws.com/open-webui/custom:v0.6.41-01"
 }
 
 variable "desired_count" {