Skip to content

server

v2026.5.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 8d Server & OS Management
βœ“ No known CVEs patched
Read the diff β†’ Tool health β†’ What is this tool? β†’
This release patches 1 known CVE

Topics

api aspnet aspnetcore bitwarden c# docker
+5 more
.net dotnet-core signalr sql sql-server

Affected surfaces

auth

ReleasePort's take

Moderate signal
editorial:auto 7d

Update MailKit to versionβ€―4.16.0 immediately due to a security advisory.

Why it matters: The MailKit dependency has a SECURITY‑type update (severityβ€―90) that requires patching to mitigate risk.

Summary

AI summary

Broad release touches 🎨 Other, Overview, πŸ“¦ Dependency Updates, and πŸ› Bug fixes.

Changes in this release

Security Critical

[deps] Tools: Update MailKit to 4.16.0 [SECURITY]

[deps] Tools: Update MailKit to 4.16.0 [SECURITY]

Source: llm_adapter@2026-05-27

Confidence: high

 β€”
Breaking High

SSO Required policy now enforced for members in the β€œaccepted” status

SSO Required policy now enforced for members in the β€œaccepted” status

Source: llm_adapter@2026-05-27

Confidence: high

 β€”
Feature Medium

Added support for new item types

Added support for new item types

Source: llm_adapter@2026-05-27

Confidence: high

 β€”
Dependency Low

Update `Bitwarden.Server.Sdk` to `1.5.2`

Update `Bitwarden.Server.Sdk` to `1.5.2`

Source: llm_adapter@2026-05-27

Confidence: high

 β€”
Dependency Low

Upgrade to .NET 10

Upgrade to .NET 10

Source: llm_adapter@2026-05-27

Confidence: high

 β€”
Bugfix Medium

[PM-36613] Void open invoices for unpaid subscriptions

[PM-36613] Void open invoices for unpaid subscriptions

Source: llm_adapter@2026-05-27

Confidence: high

 β€”
Bugfix Medium

[AppSec] AI Fix for Template Injection in GitHub Workflows Action

[AppSec] AI Fix for Template Injection in GitHub Workflows Action

Source: llm_adapter@2026-05-27

Confidence: low

 β€”
Bugfix Low

[PM-36678] Add custom user check

[PM-36678] Add custom user check

Source: llm_adapter@2026-05-27

Confidence: high

 β€”
Bugfix Low

[PM-36563] Send access event logs

[PM-36563] Send access event logs

Source: llm_adapter@2026-05-27

Confidence: high

 β€”
Bugfix Low

[PM-36560] Create Send event logs

[PM-36560] Create Send event logs

Source: llm_adapter@2026-05-27

Confidence: high

 β€”
Full changelog

Overview

  • Removed feature flag for Premium risk insights
  • Removed feature flag for web app welcome dialogs
  • Removed feature flag for migration of cipher operations to SDK
  • Removed feature flag for autofill security prompt
  • Added support for new item types
  • SSO Required policy now enforced for members in the β€œaccepted” status
  • Server now logs client version and recent activity on device table
  • Various under-the-hood improvements and minor bug fixes

What's Changed

πŸ› Bug fixes

  • [PM-36613] Void open invoices for unpaid subscriptions by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7589

πŸ“¦ Dependency Updates

  • Update Bitwarden.Server.Sdk to 1.5.2 by @justindbaur in https://github.com/bitwarden/server/pull/7559
  • Bumped version to 2026.4.2 by @connerbw in https://github.com/bitwarden/server/pull/7619

🎨 Other

  • [PM-33501] Prevent orphaned Sends during user and org deletion by @harr1424 in https://github.com/bitwarden/server/pull/7386
  • Arch/qa env seeding tweaks by @MGibson1 in https://github.com/bitwarden/server/pull/7430
  • [deps] Tools: Update MailKit to 4.16.0 [SECURITY] by @renovate[bot] in https://github.com/bitwarden/server/pull/7502
  • [PM-25056] - Deadlock testing fix by @jrmccannon in https://github.com/bitwarden/server/pull/7478
  • [AppSec] AI Fix for Template Injection in GitHub Workflows Action by @aikido-autofix[bot] in https://github.com/bitwarden/server/pull/7448
  • [PM-34427] Fix Users can edit and save sends with the hide email address option enabled by @harr1424 in https://github.com/bitwarden/server/pull/7509
  • [PM-30483] Remove feature flagged logic around passkey unlock by @eligrubb in https://github.com/bitwarden/server/pull/7318
  • Add README for PolicyRequirements feature by @eliykat in https://github.com/bitwarden/server/pull/7503
  • [PM-27278] add AccountKeysRequestModel to RegisterFinishRequestModel for account encryption v2 support by @eligrubb in https://github.com/bitwarden/server/pull/6798
  • Add seed script for local development by @Hinton in https://github.com/bitwarden/server/pull/7490
  • billing/pm-24665/license-file-generation-should-fail-for-unpaid-subscription by @cyprain-okeke in https://github.com/bitwarden/server/pull/7444
  • Migrate server specific skills into correct location by @theMickster in https://github.com/bitwarden/server/pull/7488
  • [PM-32598] - Remove Unused sso/details Endpoint + Sprocs by @sven-bitwarden in https://github.com/bitwarden/server/pull/7400
  • Move missed integration files to DIRT by @eliykat in https://github.com/bitwarden/server/pull/7487
  • [PM-35306] Fix password change not working when using the unlock and authentication data models by @quexten in https://github.com/bitwarden/server/pull/7505
  • Update SSO package path in Renovate config by @ike-kottlowski in https://github.com/bitwarden/server/pull/7518
  • [sm-1878] Adding feature flag for secret versioning by @cd-bitwarden in https://github.com/bitwarden/server/pull/7170
  • Feature flag for autotriage (autofill) by @blackwood in https://github.com/bitwarden/server/pull/7528
  • [PM-33436] Refactor setup shell commands by @dereknance in https://github.com/bitwarden/server/pull/7494
  • Add -o --output parameters to DB seeder util for preset command by @mimartin12 in https://github.com/bitwarden/server/pull/7495
  • [PM-34213] Create attachment event log by @shane-melton in https://github.com/bitwarden/server/pull/7425
  • [PM-35489] Move collections to AC ownership by @eliykat in https://github.com/bitwarden/server/pull/7523
  • [PM-34813] fix system coupons regression by @kdenney in https://github.com/bitwarden/server/pull/7515
  • [PM-35250] Prevent Custom Users Removing Admins by @sven-bitwarden in https://github.com/bitwarden/server/pull/7526
  • [PM-35305] Add desktop-ui-settings-dialog flag by @Hinton in https://github.com/bitwarden/server/pull/7491
  • [PM-34822] Consistent error response 400 and 404 in Org Integrations controller by @voommen-livefront in https://github.com/bitwarden/server/pull/7458
  • [PM-28045] - Org Key Validation by @jrmccannon in https://github.com/bitwarden/server/pull/7384
  • [PM-33875] Add Revocation Reasons by @sven-bitwarden in https://github.com/bitwarden/server/pull/7473
  • [PM-35489] Move collections to AC ownership - update namespaces by @eliykat in https://github.com/bitwarden/server/pull/7532
  • fix(ci): fix startup_failure in move_edd_db_scripts job by @addisonbeck in https://github.com/bitwarden/server/pull/7554
  • [BRE-1848] Remove legacy failure check job and Slack webhook by @vgrassia in https://github.com/bitwarden/server/pull/7557
  • [PM-34116][PM-34117] Drivers License and Passport by @nick-livefront in https://github.com/bitwarden/server/pull/7512
  • PM-35200 - Create contributing guide for Claude tooling by @theMickster in https://github.com/bitwarden/server/pull/7508
  • [PM-34883] - Add InjectOrganizationUserAttribute by @jrmccannon in https://github.com/bitwarden/server/pull/7536
  • [PM-29090] Remove FF: pm-26793-fetch-premium-price-from-pricing-service - Flag by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7549
  • [PM-35805] Add BulkAutoConfirmOnLogin feature flag by @JaredScar in https://github.com/bitwarden/server/pull/7553
  • [PM-34565] Save Cancellation Details for Scheduled Subscriptions by @sbrown-livefront in https://github.com/bitwarden/server/pull/7535
  • Auth/pm 35392/master password service foundation by @enmande in https://github.com/bitwarden/server/pull/7530
  • [PM-34601] Bump Group.RevisionDate on edits and access changes by @r-tome in https://github.com/bitwarden/server/pull/7467
  • Implement master password policy requirement by @BTreston in https://github.com/bitwarden/server/pull/7537
  • [deps] Billing: Update coverlet.collector to v10 by @renovate[bot] in https://github.com/bitwarden/server/pull/7542
  • [PM-35252] by @ike-kottlowski in https://github.com/bitwarden/server/pull/7501
  • [PM-35253] Add organization ability UseInviteLinks by @r-tome in https://github.com/bitwarden/server/pull/7489
  • [PM-33417] WebAuthn cache by @ike-kottlowski in https://github.com/bitwarden/server/pull/7500
  • [PM-35351] Fix self-hosted public API member invites by skipping plan retrieval by @r-tome in https://github.com/bitwarden/server/pull/7507
  • [PM-33885]: Attach RevocationReason to Needed Client Response Model by @sven-bitwarden in https://github.com/bitwarden/server/pull/7563
  • [PM-34148] Implement feature flag for fetching new policies and organization details by @JaredScar in https://github.com/bitwarden/server/pull/7529
  • PM-35503 fixed flaky tests due to timing issue. by @prograhamming in https://github.com/bitwarden/server/pull/7551
  • [PM-36209] Support Unprotect only certificates by @justindbaur in https://github.com/bitwarden/server/pull/7569
  • [PM-34387] Add organization invite link creation endpoint by @r-tome in https://github.com/bitwarden/server/pull/7477
  • [BRE-1871] Adding trigger for dev deploy after build on main by @pixman20 in https://github.com/bitwarden/server/pull/7572
  • [PM-28727] Upgrade to .NET 10 by @dereknance in https://github.com/bitwarden/server/pull/7171
  • [BRE-1871] Using new trigger action by @pixman20 in https://github.com/bitwarden/server/pull/7573
  • Removed feature flag by @Patrick-Pimentel-Bitwarden in https://github.com/bitwarden/server/pull/7574
  • [PM-36250] Add option to load certificate from file path by @quexten in https://github.com/bitwarden/server/pull/7571
  • [PM-34774] Add GET endpoint for organization invite links by @r-tome in https://github.com/bitwarden/server/pull/7534
  • [deps] BRE: Update mcr.microsoft.com/devcontainers/dotnet Docker tag to v10 by @renovate[bot] in https://github.com/bitwarden/server/pull/6498
  • Separate Feature Flags for Desktop Native Team by @differsthecat in https://github.com/bitwarden/server/pull/7577
  • [PM-32100] Implement Multi-Provider Ability Lookup by @JimmyVo16 in https://github.com/bitwarden/server/pull/7552
  • [PM-34388] Add organization invite link update endpoint by @r-tome in https://github.com/bitwarden/server/pull/7560
  • [PM-35263] Admin Portal: Add checkbox for the InviteLinks ability by @r-tome in https://github.com/bitwarden/server/pull/7578
  • [PM-28346] Use SDK for attachment delete operations by @gbubemismith in https://github.com/bitwarden/server/pull/7538
  • [PM-36047] Add tech-leads group as owners of the CODEOWNERS file by @coltonhurst in https://github.com/bitwarden/server/pull/7562
  • [PM-30852] Add support for TDE user key rotation by @Thomas-Avery in https://github.com/bitwarden/server/pull/7565
  • [PM-34848] Add authorization to PreviewInvoiceController org endpoints by @connerbw in https://github.com/bitwarden/server/pull/7583
  • [PM-35257] Validate plan frequency tier by @connerbw in https://github.com/bitwarden/server/pull/7570
  • chore(launch/tasks): Upgrade for .net10 by @enmande in https://github.com/bitwarden/server/pull/7584
  • [PM-31631] update password pre-login salt response by @ike-kottlowski in https://github.com/bitwarden/server/pull/7469
  • [PM-36568] Disable Pushed Authorization Request endpoint in Identity and SSO by @ike-kottlowski in https://github.com/bitwarden/server/pull/7585
  • [BRE-1851] - Migrate Publish and Release workflows by @vgrassia in https://github.com/bitwarden/server/pull/7582
  • [PM-35909] Preserve existing discounts during price migration by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7561
  • [PM-34392] Add delete invite link endpoint by @r-tome in https://github.com/bitwarden/server/pull/7591
  • [PM-36421] Add xmldoc to Admin Console entities by @eliykat in https://github.com/bitwarden/server/pull/7580
  • [PM-36419] [BEEEP] Add collection management settings to seeder by @eliykat in https://github.com/bitwarden/server/pull/7576
  • [PM-33289] Stop 500-retry loop on incomplete_expired subs by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7525
  • [deps] Tools: Pin dependencies by @renovate[bot] in https://github.com/bitwarden/server/pull/6204
  • [PM-35624] Fix EF GetCountByOnlyOwnerAsync by @JimmyVo16 in https://github.com/bitwarden/server/pull/7586
  • [PM-35201] Enhance AdminRecoverAccountValidator to include Accepted status by @JaredScar in https://github.com/bitwarden/server/pull/7579
  • SHOT-152: Remove workflow logic for EE labels by @mimartin12 in https://github.com/bitwarden/server/pull/7595
  • [PM-33473] Remove pm-29594-update-individual-subscription-page feature flag by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7519
  • [PM-34389] Add refresh endpoint for organization invite links by @r-tome in https://github.com/bitwarden/server/pull/7588
  • [PM-19790] [PM-19791] Remove policy requirements feature flag references and definition by @vincentsalucci in https://github.com/bitwarden/server/pull/7596
  • [PM-35300] emails do not match figma by @JaredScar in https://github.com/bitwarden/server/pull/7592
  • [PM-36859] Add new feature flag for refactoring Org Collections Vault by @JaredScar in https://github.com/bitwarden/server/pull/7599
  • [PM-34150] - RequireSSO Applies to Accepted by @jrmccannon in https://github.com/bitwarden/server/pull/7603
  • [PM-25690] Create UpdateUserResetPasswordEnrollment command by @r-tome in https://github.com/bitwarden/server/pull/7594
  • PM 35229 [Browser/Desktop] Stripe Checkout from upgrade dialog by @cyprain-okeke in https://github.com/bitwarden/server/pull/7606
  • PM-31923 adding the whole report endpoints v2 by @prograhamming in https://github.com/bitwarden/server/pull/7228
  • [PM-23900] Optimize organization exports by @harr1424 in https://github.com/bitwarden/server/pull/7590
  • PM-36416 - Implement master password reprompt seeding by @theMickster in https://github.com/bitwarden/server/pull/7598
  • [deps]: Update vstest monorepo by @renovate[bot] in https://github.com/bitwarden/server/pull/6869
  • [deps]: Update Microsoft.NET.Test.Sdk to v18 by @renovate[bot] in https://github.com/bitwarden/server/pull/6870
  • Add data protection cert override to recommended dev settings by @MGibson1 in https://github.com/bitwarden/server/pull/7614
  • [deps]: Update actions/github-script action to v9 by @renovate[bot] in https://github.com/bitwarden/server/pull/7545
  • PM-34680 serialize values to prevent injection by @voommen-livefront in https://github.com/bitwarden/server/pull/7593
  • [PM-31781] skip unpaid automations for exempt orgs by @kdenney in https://github.com/bitwarden/server/pull/7480
  • [PM-37077] Remediate Data Protection errors in DeleteSendsJob by @harr1424 in https://github.com/bitwarden/server/pull/7608
  • Remove plan file by @eliykat in https://github.com/bitwarden/server/pull/7625
  • Remove BW-GHAPP tokens from repository-management workflow by @AmyLGalles in https://github.com/bitwarden/server/pull/7624
  • Fix/repository management remove tokens by @AmyLGalles in https://github.com/bitwarden/server/pull/7626
  • [PM-36185] Change where Setup container looks for openssl config by @dereknance in https://github.com/bitwarden/server/pull/7623
  • [PM-37482] Disable migration tester by @eliykat in https://github.com/bitwarden/server/pull/7633
  • Seeder progress indicators by @withinfocus in https://github.com/bitwarden/server/pull/7510
  • [PM-37230] remove FF logic from new send endpoints by @itsadrago in https://github.com/bitwarden/server/pull/7621
  • [PM-35300] fix emails do not match figma by @JaredScar in https://github.com/bitwarden/server/pull/7609
  • [PM-30215] Allow key rotation for key connector users by @mzieniukbw in https://github.com/bitwarden/server/pull/7618
  • [PM 34174]Do not show renewal reminder banners to exempt organizations by @cyprain-okeke in https://github.com/bitwarden/server/pull/7483
  • Auth/PM-37165 - Add Last API Key Rotated Date to User by @JaredSnider-Bitwarden in https://github.com/bitwarden/server/pull/7634
  • [PM-37292] - add feature flag by @jaasen-livefront in https://github.com/bitwarden/server/pull/7630
  • [PM-26657] removes feature flag pm-25083-autofill-confirm-from-search by @jengstrom-bw in https://github.com/bitwarden/server/pull/7610
  • Auth/PM-37166 - Devices - add client version by @JaredSnider-Bitwarden in https://github.com/bitwarden/server/pull/7632
  • [PM-36560] Create Send event logs by @harr1424 in https://github.com/bitwarden/server/pull/7602
  • PM-37478 temporarily disabling useRiskInsights access controll by @prograhamming in https://github.com/bitwarden/server/pull/7631
  • [PM-29607] Remove PM24032 Feature Flag by @sbrown-livefront in https://github.com/bitwarden/server/pull/7558
  • Aspire Integration by @sbrown-livefront in https://github.com/bitwarden/server/pull/6775
  • Migrate to SLNX Style Solution by @justindbaur in https://github.com/bitwarden/server/pull/7645
  • [PM-26696] Removes pm-23904-risk-insights-for-premium feature flag by @jengstrom-bw in https://github.com/bitwarden/server/pull/7613
  • Aspire: Add README for Aspire AppHost setup and usage by @sbrown-livefront in https://github.com/bitwarden/server/pull/7646
  • chore: ignore C# Dev Kit lscache and dump files by @enmande in https://github.com/bitwarden/server/pull/7648
  • Auth/PM-37621 - Fix Device.LastActivityDate surfacing legacy NULL rows as DateTime.UtcNow by @JaredSnider-Bitwarden in https://github.com/bitwarden/server/pull/7649
  • [PM-32743] Add ability to create folders during import to orgs by @mcamirault in https://github.com/bitwarden/server/pull/7568
  • [PM-19551] Add externalId support to groups PATCH endpoint by @JimmyVo16 in https://github.com/bitwarden/server/pull/7620
  • [PM-35357] Update Trial Length Parameter by @sbrown-livefront in https://github.com/bitwarden/server/pull/7597
  • Bump version to 2026.5.0 by @github-actions[bot] in https://github.com/bitwarden/server/pull/7655
  • [PM-36949] feat: Add OrganizationPlanMigrationCohort and Assignment tables with bare repositories by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7644
  • [PM-36843] Skip relay push registration for non mobile clients by @justindbaur in https://github.com/bitwarden/server/pull/7617
  • [PM-13328] Move OrganizationCollectionManagementUpdateRequestModel to AC team by @eliykat in https://github.com/bitwarden/server/pull/7651
  • [PM-37723] Add feature flag pm-28191-cipher-admin-ops-to-sdk by @nikwithak in https://github.com/bitwarden/server/pull/7664
  • [PM-37237] Move OrganizationsNew into ProfileResponseModel by @eliykat in https://github.com/bitwarden/server/pull/7627
  • Triggering main build to rebuild after cosign failure by @pixman20 in https://github.com/bitwarden/server/pull/7669
  • Add PAM feature flag by @Hinton in https://github.com/bitwarden/server/pull/7641
  • [PM-35058] Adoption UX Improvements (feature flag) by @voommen-livefront in https://github.com/bitwarden/server/pull/7657
  • [PM-36359] Feature flag for Splunk integration by @voommen-livefront in https://github.com/bitwarden/server/pull/7622
  • [PM-37597] Set Automatic Tax and Prevent Tax Exempt Mutations by @sbrown-livefront in https://github.com/bitwarden/server/pull/7662
  • [PM-37064] feat: Add ScheduleBusinessPriceIncrease scheduler entry point by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7665
  • [PM-35066] - remove legacy collections endpoint by @jaasen-livefront in https://github.com/bitwarden/server/pull/7520
  • [PM-37740] Add missing container configuration to aspire by @eliykat in https://github.com/bitwarden/server/pull/7670
  • [PM-35656] Add Events for New Item Types by @nick-livefront in https://github.com/bitwarden/server/pull/7642
  • [PM-37598] Update Tax Id Warning Logic with Feature Flag by @sbrown-livefront in https://github.com/bitwarden/server/pull/7677
  • [PM-35948] Update send openapi to work for sdk by @adudek-bw in https://github.com/bitwarden/server/pull/7556
  • [PM-35393] MasterPasswordService auth integration by @enmande in https://github.com/bitwarden/server/pull/7575
  • [PM-26732] Remove Chromium ABE importer feature flag by @mcamirault in https://github.com/bitwarden/server/pull/7026
  • [PM-37068] feat: Add business plan cohort branch to UpcomingInvoiceHandler by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7678
  • [PM-36678] Add custom user check by @JimmyVo16 in https://github.com/bitwarden/server/pull/7675
  • SRE-4899 - update node 20 to 24 for admin project by @sneakernuts in https://github.com/bitwarden/server/pull/7685
  • [PM-4128] Remove nullability of Send.Data and Send.Keys by @harr1424 in https://github.com/bitwarden/server/pull/7266
  • Add passkey and password history to a subset of seeded credentials by @harr1424 in https://github.com/bitwarden/server/pull/7635
  • feat(kdf-settings-validator): Enforce salt cannot be empty string. by @enmande in https://github.com/bitwarden/server/pull/7628
  • [PM-37259] - Update Sso Request Validator by @jrmccannon in https://github.com/bitwarden/server/pull/7676
  • [PM-36964] Add per-org migration cohort assignment to the Admin portal by @cyprain-okeke in https://github.com/bitwarden/server/pull/7681
  • [PM-31021] Resolve authoring exclusions by @jprusik in https://github.com/bitwarden/server/pull/7688
  • [PM-37251] Add public invite link GET status endpoint by @r-tome in https://github.com/bitwarden/server/pull/7656
  • [deps]: Update dotnet monorepo to v10 (major) by @renovate[bot] in https://github.com/bitwarden/server/pull/6634
  • [Shared Unlock] [PM-35083] Add shared unlock feature flags by @quexten in https://github.com/bitwarden/server/pull/7687
  • [PM-35401] Update exception handling in CreateAuthRequestAsync() and PostAdminRequest() by @rr-bw in https://github.com/bitwarden/server/pull/7615
  • [PM-37593] Add OrganizationUserStatusTypeNew - πŸͺ“ Revoked by @sven-bitwarden in https://github.com/bitwarden/server/pull/7666
  • [PM-12469] Move remaining Admin Password Reset code to AC team by @eliykat in https://github.com/bitwarden/server/pull/7680
  • [PM-37083] feat: Add per-phase price resolution to UpdateOrganizationSubscriptionCommand by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7695
  • [PM-37785] Add vault batch bar feature flags by @nick-livefront in https://github.com/bitwarden/server/pull/7696
  • Seeder/item type enhancements by @nthompson-bitwarden in https://github.com/bitwarden/server/pull/7694
  • [PM-37956] by @ike-kottlowski in https://github.com/bitwarden/server/pull/7698
  • Add feature flag for SSH ecdsa by @neuronull in https://github.com/bitwarden/server/pull/7697
  • [PM-35479] updating AutoMapper to v14 and adding cve workaround by @itsadrago in https://github.com/bitwarden/server/pull/7521
  • [PM-37486] Remove IPolicyService and associated dead code by @r-tome in https://github.com/bitwarden/server/pull/7672
  • [PM-36563] Send access event logs by @harr1424 in https://github.com/bitwarden/server/pull/7679
  • PM 35227 Extend checkout endpoint for browser/desktop platforms by @cyprain-okeke in https://github.com/bitwarden/server/pull/7550
  • Use fixture to share state between PushControllerTests by @justindbaur in https://github.com/bitwarden/server/pull/7433
  • [PM-29658]: Remove PUT Policy vNext by @sven-bitwarden in https://github.com/bitwarden/server/pull/7711
  • [PM-34502] Remove the IPolicyValidator pattern by @JimmyVo16 in https://github.com/bitwarden/server/pull/7714
  • [PM-27487] Remove disable-type-0-decryption feature flag by @jlf0dev in https://github.com/bitwarden/server/pull/7717
  • [PM-37084] Business Aware Schedule Recovery and Cancellation by @sbrown-livefront in https://github.com/bitwarden/server/pull/7686
  • [PM-35312] Remove Outdated Stored Procedures by @sven-bitwarden in https://github.com/bitwarden/server/pull/7712

New Contributors

  • @aikido-autofix[bot] made their first contribution in https://github.com/bitwarden/server/pull/7448
  • @blackwood made their first contribution in https://github.com/bitwarden/server/pull/7528
  • @nthompson-bitwarden made their first contribution in https://github.com/bitwarden/server/pull/7694

Full Changelog: https://github.com/bitwarden/server/compare/v2026.4.2...v2026.5.0

Breaking Changes

  • Removed feature flag for Premium risk insights
  • Removed feature flag for web app welcome dialogs
  • Removed feature flag for migration of cipher operations to SDK
  • Removed feature flag for autofill security prompt

Security Fixes

  • dep: Tools: Update MailKit to 4.16.0 [SECURITY]
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track server

Get notified when new releases ship.

Sign up free

About server

Bitwarden infrastructure/backend (API, database, Docker, etc).

All releases β†’

Related context

Beta — feedback welcome: [email protected]