Vaultwarden Updates & Release Notes

Security Fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.

SSO Login CSRF

GHSA-pfp2-jhgq-6hg5

GHSA-w6h6-8r66-hcv7

User/Organization Enumeration

GHSA-hxqh-ff5p-wfr3

SSO existing-user binding

GHSA-j4j8-gpvj-7fqr

GHSA-6x5c-84vm-5j56

SSRF via Icon Endpoint

GHSA-72vh-x5jq-m82g

Some crate's updated and other minor security enhancements

These are private for now, pending CVE assignment.

Notes

Archiving of items is available

https://bitwarden.com/blog/keep-your-vault-tidy-with-item-archiving/

https://bitwarden.com/nl-nl/help/managing-items/#archive

Web Vault updated to v2026.4.1

What's Changed

• SSO fallback to UserInfo preferred_username by @Timshel in #7128
• Dummy identifier need to pass for a guid by @Timshel in #7154
• add new /identity/accounts/prelogin/password by @stefan0xC in #7156
• Add DuckDuckGo browser device type by @dfunkt in #7147
• Apply duration_suboptimal_units lint findings by @dfunkt in #7144
• Apply ref_option lint findings by @dfunkt in #7143
• Fix hardcoded sso identifier by @Timshel in #7157
• Update crates and fix a nightly lint by @BlackDex in #7161
• Fix Host/IP resolving by @BlackDex in #7162
• Several SSO Fixes by @BlackDex in #7163
• Add support for archiving items by @matt-aaron in #6916
• Fix favicon fetching to check all icon links instead of just the first one by @Shocker in #6880
• Fix merge conflict by @dani-garcia in #7164
• Replace organization_uuid unwrap with proper error handling by @xjohnyknox in #6936
• fix: return Err instead of panic on unknown cipher atype in to_json() by @mango766 in #7068
• Allow SQLite to be linked against dynamically by @ISSOtm in #7057
• Update crates and web-vault by @BlackDex in #7171
• Update hickory by @BlackDex in #7175

New Contributors

• @matt-aaron made their first contribution in #6916
• @Shocker made their first contribution in #6880
• @xjohnyknox made their first contribution in #6936
• @mango766 made their first contribution in #7068
• @ISSOtm made their first contribution in #7057

Full Changelog: 1.35.8...1.36.0

You can discuss this release here #7177

Original source

Security Fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.

GHSA-937x-3j8m-7w7p Unconfirmed Owner Can Purge Entire Organization Vault.

GHSA-569v-845w-g82p Cross-Org Group Binding Enables Unauthorized Read And Write Access Into Another Organization

GHSA-6j4w-g4jh-xjfx Refresh tokens not invalidated on security stamp rotation

These are private for now, pending CVE assignment.

Notes

The admin templates have changed, please update them if you override these via templates.

Two Factor Remember Tokens are now valid for max 30 days. Old tokens are invalid directly after upgrading.

What's Changed

• apply policies only to confirmed members by @stefan0xC in #6892
• Feat(config): add feature flag for Safari account switching by @DerPlayer2001 in #6891
• fix: add ForcePasswordReset to api key login by @montdidier in #6904
• Add Webauthn related origins flag to known flags. by @pasarenicu in #6900
• Add 30s cache to SSO exchange_refresh_token by @Timshel in #6866
• Add cxp-import-mobile and cxp-export-mobile: feature flags on mobile by @phoeagon in #6853
• Misc updates and fixes by @BlackDex in #6910
• Support new desktop origin on CORS by @dani-garcia in #6920
• Fix checkout action version by @dfunkt in #6921
• Fix apikey login by @BlackDex in #6922
• Fix email header base64 padding by @BlackDex in #6961
• Update Feature Flags by @BlackDex in #6981
• Update crates and GHA by @BlackDex in #6980
• Use protected CI environment by @dani-garcia in #7004
• Fix 2FA Remember to actually be 30 days by @BlackDex in #6929
• Misc Updates by @BlackDex in #7027
• Switch to attest action by @dfunkt in #7017
• Rotate refresh-tokens on sstamp reset by @BlackDex in #7031
• Misc org fixes by @BlackDex in #7032
• Fix empty string FolderId by @BlackDex in #7048
• Disable deployments for release env by @dfunkt in #7033
• Fix Send icons by @BlackDex in #7051
• prevent managers from creating collections by @stefan0xC in #6890
• Change SQLite backup to use VACUUM INTO query by @getaaron in #6989
• Handle SIGTERM and SIGQUIT shutdown signals. by @0x484558 in #7008
• Do not display unavailable 2FA options by @0x484558 in #7013
• Fix logout push identifiers and send logout before clearing devices by @qaz741wsd856 in #7047
• Fix windows build issues by @idontneedonetho in #7065
• Crate and GHA updates by @BlackDex in #7081

New Contributors

• @DerPlayer2001 made their first contribution in #6891
• @montdidier made their first contribution in #6904
• @pasarenicu made their first contribution in #6900
• @phoeagon made their first contribution in #6853
• @getaaron made their first contribution in #6989
• @0x484558 made their first contribution in #7008
• @qaz741wsd856 made their first contribution in #7047
• @idontneedonetho made their first contribution in #7065

Full Changelog: 1.35.4...1.35.5

Original source

Security Fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.
GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to access a cipher from a different user (fully encrypted) if they already know its internal UUID.
GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with manager-level access within an organization to modify collections they can access, even if they do not have management permissions for them.
GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with manager-level access within an organization to modify collections they are not assigned.
These are private for now, pending CVE assignment.

What's Changed

• Update Rust and Crates and GHA by @BlackDex in #6843
• hide remember 2fa token by @stefan0xC in #6852
• fix(send_invite): invite links by @proofofcopilot in #6824
• Misc organization fixes by @BlackDex in #6867

New Contributors

• @proofofcopilot made their first contribution in #6824

Full Changelog: 1.35.3...1.35.4

Original source

Security Fixes

This release contains security fixes for the following advisory. We strongly advice to update as soon as possible if you believe it could affect you.

GHSA-h265-g7rm-h337 (Publication in process, waiting for CVE assignment)
This vulnerability would allow an authenticated attacker that is part of an organization to access items from collections to which the attacker does not belong.

What's Changed

• Fix User API Key login by @BlackDex in #6712
• use email instead of empty name for webauhn by @stefan0xC in #6733
• hide password hints via CSS by @stefan0xC in #6726
• fix email as 2fa with auth requests by @stefan0xC in #6736
• Update crates, web-vault, js, workflows by @BlackDex in #6749
• refactor: improve tooltips in diagnostics page by @tessus in #6765
• Empty AccountKeys when no private key by @Timshel in #6761
• fix error message for purging auth requests by @stefan0xC in #6776
• Misc updates, crates, rust, js, gha, vault by @BlackDex in #6799
• Update crates and web-vault by @BlackDex in #6810
• Fix org-details issue by @BlackDex in #6811

Full Changelog: 1.35.2...1.35.3

Original source

Notable changes

Implemented support for SSO with OpenID Connect, https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect

Updated web vault to 2025.12.0

Added support for future mobile apps with versions 2026.1.0+

This is the first vaultwarden release using immutable releases and release attestation!

What's Changed

• Fix multi delete slowdown by @BlackDex in #6144
• Perform same checks when setting kdf by @Timshel in #6141
• SSO using OpenID Connect by @Timshel in #3899
• Delete SSO.md by @dani-garcia in #6152
• Update webauthn-rs to 0.5.x by @zUnixorn in #5934
• a little cleanup after SSO merge by @stefan0xC in #6153
• Fix link to point to the wiki by @Timshel in #6157
• Fix Email 2FA for mobile apps by @dfunkt in #6156
• Update Rust to 1.89.0 by @dfunkt in #6150
• Fix several more multi select push issues by @BlackDex in #6151
• Fix minor typo by @ncguk in #6165
• Update crates, fixes some yanked crates by @BlackDex in #6167
• Fix WebauthN issue with Software Keys by @BlackDex in #6168
• Fix Playwright test conf and update deps by @Timshel in #6176
• Misc updates by @BlackDex in #6185
• fix typo in description of helo_name by @Flottegurke in #6194
• Fix Playwright by @Timshel in #6206
• Switch to GHA's concurrency control by @dfunkt in #6164
• Make database connection pool dynamic by @Samoth69 in #6166
• Re-add if check to release workflow by @dfunkt in #6227
• Fix Webauthn/Passkey 2FA migration/validation issues by @BlackDex in #6190
• refactor(config): update template, add validation by @tessus in #6229
• Show SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION in admin by @Timshel in #6235
• Update crates, gha and web-vault by @BlackDex in #6234
• Fix panic around sso_master_password_policy by @Timshel in #6233
• make webauthn more optional by @stefan0xC in #6160
• Fix 2fa recovery endpoint by @BlackDex in #6240
• update trivy-action to v0.33.0 by @stefan0xC in #6248
• update web vault to v2025.9.1 and allow new policy by @stefan0xC in #6340
• prevent changing collections when hide_passwords is true by @stefan0xC in #6278
• Fix sso_user dropped on User::save by @Timshel in #6262
• Change OIDC dummy identifier by @Timshel in #6263
• add new billing warnings endpoint by @stefan0xC in #6369
• Add auth_request pending endpoint by @Timshel in #6368
• Fix Org identifier by @Timshel in #6364
• add mail address change warning for invited accounts by @stefan0xC in #6377
• add missing media-src directive by @stefan0xC in #6381
• add seat limit for the invite dialog by @stefan0xC in #6371
• [Playwright] Improvements around node by @Timshel in #6321
• Use Diesels MultiConnections Derive by @BlackDex in #6279
• Improve protected actions by @dani-garcia in #6411
• Fix issue with key-rotation and emergency-access by @BlackDex in #6421
• Optimizations and build speedup by @BlackDex in #6339
• Use an older version of mariadb to prevent a panic by @BlackDex in #6453
• Playwright against abitrary web-vault by @Timshel in #6380
• Fix KDF Change with new web-vault by @BlackDex in #6458
• Fix: admin theme emoji alignment by @joepduin in #6459
• remove invalid emergency access dummy value by @stefan0xC in #6463
• Add pm-25373-windows-biometrics-v2 feature flag by @Ephemera42 in #6468
• Switch to multiple runners per arch by @dfunkt in #6472
• Fix icon redirect caching by @BlackDex in #6487
• Fix around singleorg policy by @Timshel in #6247
• fix email as 2fa provider by @stefan0xC in #6473
• Update crates and Rust version by @BlackDex in #6485
• Add option to prefer IPv6 resolving by @BlackDex in #6494
• Some small admin js/css updates by @BlackDex in #6501
• Update crates and workflows and some fixes by @BlackDex in #6508
• Fixed a typo in the default TTL value by @k725 in #6528
• Iterate over tags on release by @Timshel in #6518
• Org.put_policy type not in body anymore by @Timshel in #6514
• Android want response property in camelCase by @Timshel in #6513
• Fix admin invite with SSO by @Timshel in #6498
• Improve sso auth flow by @Timshel in #6205
• fix email as 2fa for sso by @stefan0xC in #6495
• Fix release workflow by @BlackDex in #6532
• Further fixes for the release workflow by @dfunkt in #6533
• add empty /api/tasks endpoint by @stefan0xC in #6557
• Revert to gzip compression by @dfunkt in #6566
• support UriMatchDefaults policy by @stefan0xC in #6570
• Add new accountKeys and masterPasswordUnlock fields by @dani-garcia in #6572
• Update crates and Rust by @BlackDex in #6551
• Add UserDecryption on /sync too by @dani-garcia in #6574
• Update web-vault to v2025.12.0 by @BlackDex in #6577
• Fix posting cipher with readonly collections by @BlackDex in #6578
• Update crates by @BlackDex in #6585
• Simplify binary extraction by @dfunkt in #6554
• Remove unnecessary output sharing between jobs by @dfunkt in #6555
• Add wrapped named variants to UserDecryptionOptions by @dani-garcia in #6598

New Contributors

@zUnixorn made their first contribution in #5934

@ncguk made their first contribution in #6165

@Flottegurke made their first contribution in #6194

@Samoth69 made their first contribution in #6166

@joepduin made their first contribution in #6459

@k725 made their first contribution in #6528

Full Changelog

1.34.3...1.35.0

Original source

Notable changes

Updated web vault to 2025.7.0

Included experimental support for S3 file backend using OpenDAL. This currently requires compiling from source with the s3 feature flag, check #5626 for more details.

What's Changed

fix css to hide login with passkey by @stefan0xC in #5890

fix css for locked screen by @stefan0xC in #5905

Abstract persistent files through Apache OpenDAL by @txase in #5626

Some small admin updates by @BlackDex in #5909

Fix and improvements to password policies by @Timshel in #5923

Update Alpine to version 3.22 by @dfunkt in #5938

make css for login-page position independent by @stefan0xC in #5906

Minor fixes to copy in .env.template by @nickgrim in #5928

Update crates and web-vault by @BlackDex in #5955

allow signup for invited users by @stefan0xC in #5967

fix account recovery withdrawal by @stefan0xC in #5968

Fix an issue with yubico keys not validating by @BlackDex in #5991

Misc Updates and favicon fixes by @BlackDex in #5993

Update flags version and enable manual error reporting by @dani-garcia in #5994

Use existing reqwest client for AWS S3 requests by @txase in #5917

Fix v2025.6.x clients and newer to delete items by @BlackDex in #6004

chore: fix some minor issues in the comments by @mountdisk in #5998

fix hiding email as 2fa provider by @stefan0xC in #6026

Update web-vault and admin resources by @BlackDex in #6044

improve the usage section of the README by @stefan0xC in #6041

close unmatched left parenthesis in the README by @stefan0xC in #6046

Update crates, workflow and issue template by @BlackDex in #6056

Update release.yml by @dani-garcia in #6057

fix hash reference in release.yml by @stefan0xC in #6058

Fix digest SHA extraction step by @dfunkt in #6059

Hide login form custom fields by @Timshel in #6054

Adjust issue template by @BlackDex in #6096

fix: resolve group permission conflicts with multiple groups by @DasCanard in #6017

Update crates by @BlackDex in #6100

fix account key rotation by @stefan0xC in #6105

New Contributors

@txase made their first contribution in #5626

@nickgrim made their first contribution in #5928

@mountdisk made their first contribution in #5998

@DasCanard made their first contribution in #6017

Full Changelog: 1.34.1...1.35.0

Original source

Notable changes

Updated web-vault to v2025.5.0
Implemented new registration flow with email verification
Added support for some feature flags (mutual TLS, attachment export, AnonAddy/SimpleLogin self host)

What's Changed

• Update crates & fix CVE-2025-25188 by @dfunkt in #5576
• Fix db issues with Option<> values and upd crates by @BlackDex in #5594
• allow CLI to upload send files with truncated filenames by @stefan0xC in #5618
• Update Rust to 1.85.0 by @dfunkt in #5634
• Use subtle to replace deprecated ring::constant_time::verify_slices_are_equal by @Timshel in #5680
• Add support for mutual-tls feature flag by @bennettmsherman in #5698
• Add AnonAddy/SimpleLogin self host feature flag by @PseudoResonance in #5694
• Implement new registration flow with email verification by @dani-garcia in #5215
• Some fixes for the new web-vault and updates by @BlackDex in #5703
• Update Rust, Crates and other deps by @BlackDex in #5709
• Update deps and web-vault by @BlackDex in #5742
• Fix invited user registration without SMTP by @Timshel in #5712
• Fix mysqlclient-sys building by @BlackDex in #5743
• Really fix building by @BlackDex in #5745
• Update Rust to 1.86.0 by @dfunkt in #5744
• Verify templates in CI by @dani-garcia in #5748
• Add Docker Templates pre-commit check by @BlackDex in #5749
• Fix debian docker building by @BlackDex in #5752
• Updates and general fixes by @BlackDex in #5762
• On member invite and edit access_all is not sent anymore by @Timshel in #5673
• respond with cipher json when deleting attachments by @stefan0xC in #5823
• feat: add feature flag export-attachments by @tessus in #5784
• Fix Yubico toggle by @Timshel in #5833
• Fix minimum Android version for self-host email alias feature flags by @PseudoResonance in #5802
• feat: add ip address in logs when email 2fa token is invalid or not available by @tessus in #5779
• Update Rust, Crates and Web-Vault by @BlackDex in #5860
• Add totp menu feature flag by @moodejb123 in #5850
• Remove Hide Business scss rules by @Timshel in #5855
• Toggle providers using class by @Timshel in #5832
• Remove old client version check by @Timshel in #5874
• web-client now request email 2fa by @Timshel in #5871
• Update admin interface by @BlackDex in #5880
• Sync with Upstream by @BlackDex in #5798

New Contributors

• @bennettmsherman made their first contribution in #5698
• @PseudoResonance made their first contribution in #5694
• @moodejb123 made their first contribution in #5850

Full Changelog: 1.33.2...1.34.0

Original source