server

v2026.4.2 Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 21d Server & OS Management

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

api aspnet aspnetcore bitwarden c# docker

+5 more

.net dotnet-core signalr sql sql-server

Affected surfaces

deps

ReleasePort's take

Moderate signal

editorial:auto 13d

v2026.4.2 adds master password policy enforcement at login, patches security issues in authentication workflows and OIDC integration, and requires .NET 10 runtime upgrade.

Why it matters: Master password policy now mandatory on login. Deploy to enforce policies organization-wide. Security fixes address token exposure in CI, template injection, and OIDC vulnerabilities. Requires .NET 10.

Summary

AI summary

Master password policy requirement now enforced on login.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Remove exposed authentication tokens from workflows Remove exposed authentication tokens from workflows Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Serialize values to prevent template injection attacks Serialize values to prevent template injection attacks Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Disable Pushed Authorization Request endpoint Disable Pushed Authorization Request endpoint Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Add authorization checks to preview controller Add authorization checks to preview controller Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Security update: MailKit to 4.16.0 Security update: MailKit to 4.16.0 Source: llm_adapter@2026-05-21 Confidence: low	—
Feature
Feature	Medium	Implement organization key validation Implement organization key validation Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Add TDE user key rotation support Add TDE user key rotation support Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Add encryption version 2 support Add encryption version 2 support Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Update password pre-login salt response Update password pre-login salt response Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Add WebAuthn caching for authentication Add WebAuthn caching for authentication Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Implement Multi-Provider Ability Lookup Implement Multi-Provider Ability Lookup Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Add Stripe Checkout to upgrade dialog Add Stripe Checkout to upgrade dialog Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Add report endpoints version 2 Add report endpoints version 2 Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Implement master password policy requirements Implement master password policy requirements Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Add master password service foundation Add master password service foundation Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Add organization invite link management endpoints Add organization invite link management endpoints Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Add drivers license and passport support Add drivers license and passport support Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Low	Add feature flag for secret versioning Add feature flag for secret versioning Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Feature	Low	Add feature flag for autotriage (autofill) Add feature flag for autotriage (autofill) Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Feature	Low	Add Revocation Reasons support Add Revocation Reasons support Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Feature	Low	Add desktop-ui-settings-dialog feature flag Add desktop-ui-settings-dialog feature flag Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Feature	Low	Add BulkAutoConfirmOnLogin feature flag Add BulkAutoConfirmOnLogin feature flag Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Feature	Low	Attach RevocationReason to Needed Client Response Model Attach RevocationReason to Needed Client Response Model Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Feature	Low	Implement feature flag for fetching new policies and organization details Implement feature flag for fetching new policies and organization details Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Feature	Low	Support Unprotect only certificates Support Unprotect only certificates Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Feature	Low	Add organization ability UseInviteLinks Add organization ability UseInviteLinks Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Feature	Low	Implement WebAuthn cache for authentication Implement WebAuthn cache for authentication Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Dependency	Medium	Upgrade runtime to .NET 10 Upgrade runtime to .NET 10 Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Update coverlet.collector to v10 in Billing package Update coverlet.collector to v10 in Billing package Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Performance	Medium	Optimize organization exports performance Optimize organization exports performance Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix
Bugfix	Medium	Prevent orphaned Sends during deletion Prevent orphaned Sends during deletion Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fix system coupons regression Fix system coupons regression Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fix password changes with auth models Fix password changes with auth models Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Stop 500-retry loop on expired subscriptions Stop 500-retry loop on expired subscriptions Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fix data protection errors in DeleteSendsJob Fix data protection errors in DeleteSendsJob Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Preserve discounts during price migration Preserve discounts during price migration Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Prevent custom users from removing admins Prevent custom users from removing admins Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fix self-hosted API member invites Fix self-hosted API member invites Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fix password change when using unlock and authentication data models Fix password change when using unlock and authentication data models Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Bugfix	Medium	Fix startup_failure in move_edd_db_scripts CI job Fix startup_failure in move_edd_db_scripts CI job Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Bugfix	Medium	Fix subscription handling bug Fix subscription handling bug Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Bugfix	Medium	Update Group.RevisionDate on edits and access changes Update Group.RevisionDate on edits and access changes Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Bugfix	Medium	Fix flaky tests due to timing issue (PM-35503) Fix flaky tests due to timing issue (PM-35503) Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Bugfix	Medium	Save cancellation details for scheduled subscriptions Save cancellation details for scheduled subscriptions Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Refactor	Low	Refactor setup shell commands Refactor setup shell commands Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Other	Low	Remove legacy failure check job and Slack webhook Remove legacy failure check job and Slack webhook Source: granite4.1:30b@2026-05-22-audit Confidence: low	—

Full changelog

What's Changed

Bug fix for subscription handling

🎨 Other

[PM-33501] Prevent orphaned Sends during user and org deletion by @harr1424 in https://github.com/bitwarden/server/pull/7386
Arch/qa env seeding tweaks by @MGibson1 in https://github.com/bitwarden/server/pull/7430
[deps] Tools: Update MailKit to 4.16.0 [SECURITY] by @renovate[bot] in https://github.com/bitwarden/server/pull/7502
[PM-25056] - Deadlock testing fix by @jrmccannon in https://github.com/bitwarden/server/pull/7478
[AppSec] AI Fix for Template Injection in GitHub Workflows Action by @aikido-autofix[bot] in https://github.com/bitwarden/server/pull/7448
[PM-34427] Fix Users can edit and save sends with the hide email address option enabled by @harr1424 in https://github.com/bitwarden/server/pull/7509
[PM-30483] Remove feature flagged logic around passkey unlock by @eligrubb in https://github.com/bitwarden/server/pull/7318
Add README for PolicyRequirements feature by @eliykat in https://github.com/bitwarden/server/pull/7503
[PM-27278] add AccountKeysRequestModel to RegisterFinishRequestModel for account encryption v2 support by @eligrubb in https://github.com/bitwarden/server/pull/6798
Add seed script for local development by @Hinton in https://github.com/bitwarden/server/pull/7490
billing/pm-24665/license-file-generation-should-fail-for-unpaid-subscription by @cyprain-okeke in https://github.com/bitwarden/server/pull/7444
Migrate server specific skills into correct location by @theMickster in https://github.com/bitwarden/server/pull/7488
[PM-32598] - Remove Unused sso/details Endpoint + Sprocs by @sven-bitwarden in https://github.com/bitwarden/server/pull/7400
Move missed integration files to DIRT by @eliykat in https://github.com/bitwarden/server/pull/7487
[PM-35306] Fix password change not working when using the unlock and authentication data models by @quexten in https://github.com/bitwarden/server/pull/7505
Update SSO package path in Renovate config by @ike-kottlowski in https://github.com/bitwarden/server/pull/7518
[sm-1878] Adding feature flag for secret versioning by @cd-bitwarden in https://github.com/bitwarden/server/pull/7170
Feature flag for autotriage (autofill) by @blackwood in https://github.com/bitwarden/server/pull/7528
[PM-33436] Refactor setup shell commands by @dereknance in https://github.com/bitwarden/server/pull/7494
Add -o --output parameters to DB seeder util for preset command by @mimartin12 in https://github.com/bitwarden/server/pull/7495
[PM-34213] Create attachment event log by @shane-melton in https://github.com/bitwarden/server/pull/7425
[PM-35489] Move collections to AC ownership by @eliykat in https://github.com/bitwarden/server/pull/7523
[PM-34813] fix system coupons regression by @kdenney in https://github.com/bitwarden/server/pull/7515
[PM-35250] Prevent Custom Users Removing Admins by @sven-bitwarden in https://github.com/bitwarden/server/pull/7526
[PM-35305] Add desktop-ui-settings-dialog flag by @Hinton in https://github.com/bitwarden/server/pull/7491
[PM-34822] Consistent error response 400 and 404 in Org Integrations controller by @voommen-livefront in https://github.com/bitwarden/server/pull/7458
[PM-28045] - Org Key Validation by @jrmccannon in https://github.com/bitwarden/server/pull/7384
[PM-33875] Add Revocation Reasons by @sven-bitwarden in https://github.com/bitwarden/server/pull/7473
[PM-35489] Move collections to AC ownership - update namespaces by @eliykat in https://github.com/bitwarden/server/pull/7532
Update Bitwarden.Server.Sdk to 1.5.2 by @justindbaur in https://github.com/bitwarden/server/pull/7559
fix(ci): fix startup_failure in move_edd_db_scripts job by @addisonbeck in https://github.com/bitwarden/server/pull/7554
[BRE-1848] Remove legacy failure check job and Slack webhook by @vgrassia in https://github.com/bitwarden/server/pull/7557
[PM-34116][PM-34117] Drivers License and Passport by @nick-livefront in https://github.com/bitwarden/server/pull/7512
PM-35200 - Create contributing guide for Claude tooling by @theMickster in https://github.com/bitwarden/server/pull/7508
[PM-34883] - Add InjectOrganizationUserAttribute by @jrmccannon in https://github.com/bitwarden/server/pull/7536
[PM-29090] Remove FF: pm-26793-fetch-premium-price-from-pricing-service - Flag by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7549
[PM-35805] Add BulkAutoConfirmOnLogin feature flag by @JaredScar in https://github.com/bitwarden/server/pull/7553
[PM-34565] Save Cancellation Details for Scheduled Subscriptions by @sbrown-livefront in https://github.com/bitwarden/server/pull/7535
Auth/pm 35392/master password service foundation by @enmande in https://github.com/bitwarden/server/pull/7530
[PM-34601] Bump Group.RevisionDate on edits and access changes by @r-tome in https://github.com/bitwarden/server/pull/7467
Implement master password policy requirement by @BTreston in https://github.com/bitwarden/server/pull/7537
[deps] Billing: Update coverlet.collector to v10 by @renovate[bot] in https://github.com/bitwarden/server/pull/7542
[PM-35252] by @ike-kottlowski in https://github.com/bitwarden/server/pull/7501
[PM-35253] Add organization ability UseInviteLinks by @r-tome in https://github.com/bitwarden/server/pull/7489
[PM-33417] WebAuthn cache by @ike-kottlowski in https://github.com/bitwarden/server/pull/7500
[PM-35351] Fix self-hosted public API member invites by skipping plan retrieval by @r-tome in https://github.com/bitwarden/server/pull/7507
[PM-33885]: Attach RevocationReason to Needed Client Response Model by @sven-bitwarden in https://github.com/bitwarden/server/pull/7563
[PM-34148] Implement feature flag for fetching new policies and organization details by @JaredScar in https://github.com/bitwarden/server/pull/7529
PM-35503 fixed flaky tests due to timing issue. by @prograhamming in https://github.com/bitwarden/server/pull/7551
[PM-36209] Support Unprotect only certificates by @justindbaur in https://github.com/bitwarden/server/pull/7569
[PM-34387] Add organization invite link creation endpoint by @r-tome in https://github.com/bitwarden/server/pull/7477
[BRE-1871] Adding trigger for dev deploy after build on main by @pixman20 in https://github.com/bitwarden/server/pull/7572
[PM-28727] Upgrade to .NET 10 by @dereknance in https://github.com/bitwarden/server/pull/7171
[BRE-1871] Using new trigger action by @pixman20 in https://github.com/bitwarden/server/pull/7573
Removed feature flag by @Patrick-Pimentel-Bitwarden in https://github.com/bitwarden/server/pull/7574
[PM-36250] Add option to load certificate from file path by @quexten in https://github.com/bitwarden/server/pull/7571
[PM-34774] Add GET endpoint for organization invite links by @r-tome in https://github.com/bitwarden/server/pull/7534
[deps] BRE: Update mcr.microsoft.com/devcontainers/dotnet Docker tag to v10 by @renovate[bot] in https://github.com/bitwarden/server/pull/6498
Separate Feature Flags for Desktop Native Team by @differsthecat in https://github.com/bitwarden/server/pull/7577
[PM-32100] Implement Multi-Provider Ability Lookup by @JimmyVo16 in https://github.com/bitwarden/server/pull/7552
[PM-34388] Add organization invite link update endpoint by @r-tome in https://github.com/bitwarden/server/pull/7560
[PM-35263] Admin Portal: Add checkbox for the InviteLinks ability by @r-tome in https://github.com/bitwarden/server/pull/7578
[PM-28346] Use SDK for attachment delete operations by @gbubemismith in https://github.com/bitwarden/server/pull/7538
[PM-36047] Add tech-leads group as owners of the CODEOWNERS file by @coltonhurst in https://github.com/bitwarden/server/pull/7562
[PM-30852] Add support for TDE user key rotation by @Thomas-Avery in https://github.com/bitwarden/server/pull/7565
[PM-34848] Add authorization to PreviewInvoiceController org endpoints by @connerbw in https://github.com/bitwarden/server/pull/7583
[PM-35257] Validate plan frequency tier by @connerbw in https://github.com/bitwarden/server/pull/7570
chore(launch/tasks): Upgrade for .net10 by @enmande in https://github.com/bitwarden/server/pull/7584
[PM-31631] update password pre-login salt response by @ike-kottlowski in https://github.com/bitwarden/server/pull/7469
[PM-36568] Disable Pushed Authorization Request endpoint in Identity and SSO by @ike-kottlowski in https://github.com/bitwarden/server/pull/7585
[BRE-1851] - Migrate Publish and Release workflows by @vgrassia in https://github.com/bitwarden/server/pull/7582
[PM-35909] Preserve existing discounts during price migration by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7561
[PM-34392] Add delete invite link endpoint by @r-tome in https://github.com/bitwarden/server/pull/7591
[PM-36421] Add xmldoc to Admin Console entities by @eliykat in https://github.com/bitwarden/server/pull/7580
[PM-36419] [BEEEP] Add collection management settings to seeder by @eliykat in https://github.com/bitwarden/server/pull/7576
[PM-33289] Stop 500-retry loop on incomplete_expired subs by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7525
[deps] Tools: Pin dependencies by @renovate[bot] in https://github.com/bitwarden/server/pull/6204
[PM-35624] Fix EF GetCountByOnlyOwnerAsync by @JimmyVo16 in https://github.com/bitwarden/server/pull/7586
[PM-35201] Enhance AdminRecoverAccountValidator to include Accepted status by @JaredScar in https://github.com/bitwarden/server/pull/7579
SHOT-152: Remove workflow logic for EE labels by @mimartin12 in https://github.com/bitwarden/server/pull/7595
[PM-33473] Remove pm-29594-update-individual-subscription-page feature flag by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7519
[PM-34389] Add refresh endpoint for organization invite links by @r-tome in https://github.com/bitwarden/server/pull/7588
[PM-19790] [PM-19791] Remove policy requirements feature flag references and definition by @vincentsalucci in https://github.com/bitwarden/server/pull/7596
[PM-35300] emails do not match figma by @JaredScar in https://github.com/bitwarden/server/pull/7592
[PM-36859] Add new feature flag for refactoring Org Collections Vault by @JaredScar in https://github.com/bitwarden/server/pull/7599
[PM-34150] - RequireSSO Applies to Accepted by @jrmccannon in https://github.com/bitwarden/server/pull/7603
[PM-25690] Create UpdateUserResetPasswordEnrollment command by @r-tome in https://github.com/bitwarden/server/pull/7594
PM 35229 [Browser/Desktop] Stripe Checkout from upgrade dialog by @cyprain-okeke in https://github.com/bitwarden/server/pull/7606
PM-31923 adding the whole report endpoints v2 by @prograhamming in https://github.com/bitwarden/server/pull/7228
[PM-23900] Optimize organization exports by @harr1424 in https://github.com/bitwarden/server/pull/7590
PM-36416 - Implement master password reprompt seeding by @theMickster in https://github.com/bitwarden/server/pull/7598
[deps]: Update vstest monorepo by @renovate[bot] in https://github.com/bitwarden/server/pull/6869
[deps]: Update Microsoft.NET.Test.Sdk to v18 by @renovate[bot] in https://github.com/bitwarden/server/pull/6870
Add data protection cert override to recommended dev settings by @MGibson1 in https://github.com/bitwarden/server/pull/7614
[deps]: Update actions/github-script action to v9 by @renovate[bot] in https://github.com/bitwarden/server/pull/7545
PM-34680 serialize values to prevent injection by @voommen-livefront in https://github.com/bitwarden/server/pull/7593
Bumped version to 2026.4.2 by @connerbw in https://github.com/bitwarden/server/pull/7619
[PM-31781] skip unpaid automations for exempt orgs by @kdenney in https://github.com/bitwarden/server/pull/7480
[PM-37077] Remediate Data Protection errors in DeleteSendsJob by @harr1424 in https://github.com/bitwarden/server/pull/7608
[PM-36613] Void open invoices for unpaid subscriptions by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7589
Remove plan file by @eliykat in https://github.com/bitwarden/server/pull/7625
Remove BW-GHAPP tokens from repository-management workflow by @AmyLGalles in https://github.com/bitwarden/server/pull/7624
Fix/repository management remove tokens by @AmyLGalles in https://github.com/bitwarden/server/pull/7626
[PM-36185] Change where Setup container looks for openssl config by @dereknance in https://github.com/bitwarden/server/pull/7623
[PM-37482] Disable migration tester by @eliykat in https://github.com/bitwarden/server/pull/7633

New Contributors

@aikido-autofix[bot] made their first contribution in https://github.com/bitwarden/server/pull/7448
@blackwood made their first contribution in https://github.com/bitwarden/server/pull/7528

Full Changelog: https://github.com/bitwarden/server/compare/v2026.4.1...v2026.4.2

Breaking Changes

Enforce master password policy requirement on login.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track server

Get notified when new releases ship.

About server

Bitwarden infrastructure/backend (API, database, Docker, etc).

All releases →

Related context

Related tools

Earlier breaking changes

v2026.5.0 SSO Required policy now enforced for members in the “accepted” status