v1.36.0

Compare Source

Security Fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.

• SSO Login CSRF
  GHSA-pfp2-jhgq-6hg5
  GHSA-w6h6-8r66-hcv7
• User/Organization Enumeration
  GHSA-hxqh-ff5p-wfr3
• SSO existing-user binding
  GHSA-j4j8-gpvj-7fqr
  GHSA-6x5c-84vm-5j56
• SSRF via Icon Endpoint
  GHSA-72vh-x5jq-m82g
• Some crate's updated and other minor security enhancements

These are private for now, pending CVE assignment.

Notes

• Archiving of items is available
  https://bitwarden.com/blog/keep-your-vault-tidy-with-item-archiving/
  https://bitwarden.com/nl-nl/help/managing-items/#archive
• Web Vault updated to v2026.4.1

What's Changed

• SSO fallback to UserInfo preferred_username by @​Timshel in #​7128
• Dummy identifier need to pass for a guid by @​Timshel in #​7154
• add new /identity/accounts/prelogin/password by @​stefan0xC in #​7156
• Add DuckDuckGo browser device type by @​dfunkt in #​7147
• Apply duration_suboptimal_units lint findings by @​dfunkt in #​7144
• Apply ref_option lint findings by @​dfunkt in #​7143
• Fix hardcoded sso identifier by @​Timshel in #​7157
• Update crates and fix a nightly lint by @​BlackDex in #​7161
• Fix Host/IP resolving by @​BlackDex in #​7162
• Several SSO Fixes by @​BlackDex in #​7163
• Add support for archiving items by @​matt-aaron in #​6916
• Fix favicon fetching to check all icon links instead of just the first one by @​Shocker in #​6880
• Fix merge conflict by @​dani-garcia in #​7164
• Replace organization_uuid unwrap with proper error handling by @​xjohnyknox in #​6936
• fix: return Err instead of panic on unknown cipher atype in to_json() by @​mango766 in #​7068
• Allow SQLite to be linked against dynamically by @​ISSOtm in #​7057
• Update crates and web-vault by @​BlackDex in #​7171
• Update hickory by @​BlackDex in #​7175

New Contributors

• @​matt-aaron made their first contribution in #​6916
• @​Shocker made their first contribution in #​6880
• @​xjohnyknox made their first contribution in #​6936
• @​mango766 made their first contribution in #​7068
• @​ISSOtm made their first contribution in #​7057

Full Changelog: dani-garcia/vaultwarden@1.35.8...1.36.0

You can discuss this release here https://redirect.github.com/dani-garcia/vaultwarden/discussions/7177

v1.35.8

Compare Source

What's Changed

• Dummy org Master password policy auth fix by @​Timshel in #​7097
• Fix recovery-code not working by @​BlackDex in #​7102
• Fix invalid refresh token response by @​BlackDex in #​7105
• Update Rust, Crates, GHA and fix a DNS issue by @​BlackDex in #​7108
• Update web-vault and crates by @​BlackDex in #​7121

Full Changelog: dani-garcia/vaultwarden@1.35.7...1.35.8

v1.35.7

Compare Source

What's Changed

• Fix 2FA for Android by @​BlackDex in #​7093

Full Changelog: dani-garcia/vaultwarden@1.35.6...1.35.7

v1.35.6

Compare Source

Notes

The previous release contained an issue where Two Factor Remember Tokens and Recovery Tokens were not accepted at all.
This has been fixed now in this release.

What's Changed

• Fix MFA Remember by @​BlackDex in #​7085

Full Changelog: dani-garcia/vaultwarden@1.35.5...1.35.6

v1.35.5

Compare Source

Security Fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.

• GHSA-937x-3j8m-7w7p Unconfirmed Owner Can Purge Entire Organization Vault.
• GHSA-569v-845w-g82p Cross-Org Group Binding Enables Unauthorized Read And Write Access Into Another Organization
• GHSA-6j4w-g4jh-xjfx Refresh tokens not invalidated on security stamp rotation

These are private for now, pending CVE assignment.

Notes

• The admin templates have changed, please update them if you override these via templates.
• Two Factor Remember Tokens are now valid for max 30 days. Old tokens are invalid directly after upgrading.

What's Changed

• apply policies only to confirmed members by @​stefan0xC in #​6892
• Feat(config): add feature flag for Safari account switching by @​DerPlayer2001 in #​6891
• fix: add ForcePasswordReset to api key login by @​montdidier in #​6904
• Add Webauthn related origins flag to known flags. by @​pasarenicu in #​6900
• Add 30s cache to SSO exchange_refresh_token by @​Timshel in #​6866
• Add cxp-import-mobile and cxp-export-mobile: feature flags on mobile by @​phoeagon in #​6853
• Misc updates and fixes by @​BlackDex in #​6910
• Support new desktop origin on CORS by @​dani-garcia in #​6920
• Fix checkout action version by @​dfunkt in #​6921
• Fix apikey login by @​BlackDex in #​6922
• Fix email header base64 padding by @​BlackDex in #​6961
• Update Feature Flags by @​BlackDex in #​6981
• Update crates and GHA by @​BlackDex in #​6980
• Use protected CI environment by @​dani-garcia in #​7004
• Fix 2FA Remember to actually be 30 days by @​BlackDex in #​6929
• Misc Updates by @​BlackDex in #​7027
• Switch to attest action by @​dfunkt in #​7017
• Rotate refresh-tokens on sstamp reset by @​BlackDex in #​7031
• Misc org fixes by @​BlackDex in #​7032
• Fix empty string FolderId by @​BlackDex in #​7048
• Disable deployments for release env by @​dfunkt in #​7033
• Fix Send icons by @​BlackDex in #​7051
• prevent managers from creating collections by @​stefan0xC in #​6890
• Change SQLite backup to use VACUUM INTO query by @​getaaron in #​6989
• Handle SIGTERM and SIGQUIT shutdown signals. by @​0x484558 in #​7008
• Do not display unavailable 2FA options by @​0x484558 in #​7013
• Fix logout push identifiers and send logout before clearing devices by @​qaz741wsd856 in #​7047
• Fix windows build issues by @​idontneedonetho in #​7065
• Crate and GHA updates by @​BlackDex in #​7081

New Contributors

• @​DerPlayer2001 made their first contribution in #​6891
• @​montdidier made their first contribution in #​6904
• @​pasarenicu made their first contribution in #​6900
• @​phoeagon made their first contribution in #​6853
• @​getaaron made their first contribution in #​6989
• @​0x484558 made their first contribution in #​7008
• @​qaz741wsd856 made their first contribution in #​7047
• @​idontneedonetho made their first contribution in #​7065

Full Changelog: dani-garcia/vaultwarden@1.35.4...1.35.5