vaultwarden

Security Fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.

• SSO Login CSRF
  GHSA-pfp2-jhgq-6hg5
  GHSA-w6h6-8r66-hcv7
• User/Organization Enumeration
  GHSA-hxqh-ff5p-wfr3
• SSO existing-user binding
  GHSA-j4j8-gpvj-7fqr
  GHSA-6x5c-84vm-5j56
• SSRF via Icon Endpoint
  GHSA-72vh-x5jq-m82g
• Some crate's updated and other minor security enhancements

These are private for now, pending CVE assignment.

Notes

• Archiving of items is available
  https://bitwarden.com/blog/keep-your-vault-tidy-with-item-archiving/
  https://bitwarden.com/nl-nl/help/managing-items/#archive
• Web Vault updated to v2026.4.1

What's Changed

• SSO fallback to UserInfo preferred_username by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/7128
• Dummy identifier need to pass for a guid by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/7154
• add new /identity/accounts/prelogin/password by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/7156
• Add DuckDuckGo browser device type by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/7147
• Apply duration_suboptimal_units lint findings by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/7144
• Apply ref_option lint findings by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/7143
• Fix hardcoded sso identifier by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/7157
• Update crates and fix a nightly lint by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7161
• Fix Host/IP resolving by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7162
• Several SSO Fixes by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7163
• Add support for archiving items by @matt-aaron in https://github.com/dani-garcia/vaultwarden/pull/6916
• Fix favicon fetching to check all icon links instead of just the first one by @Shocker in https://github.com/dani-garcia/vaultwarden/pull/6880
• Fix merge conflict by @dani-garcia in https://github.com/dani-garcia/vaultwarden/pull/7164
• Replace organization_uuid unwrap with proper error handling by @xjohnyknox in https://github.com/dani-garcia/vaultwarden/pull/6936
• fix: return Err instead of panic on unknown cipher atype in to_json() by @mango766 in https://github.com/dani-garcia/vaultwarden/pull/7068
• Allow SQLite to be linked against dynamically by @ISSOtm in https://github.com/dani-garcia/vaultwarden/pull/7057
• Update crates and web-vault by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7171
• Update hickory by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7175

New Contributors

• @matt-aaron made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6916
• @Shocker made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6880
• @xjohnyknox made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6936
• @mango766 made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/7068
• @ISSOtm made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/7057

Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.35.8...1.36.0

You can discuss this release here https://github.com/dani-garcia/vaultwarden/discussions/7177