• Removed feature flag for automatic member confirmation settings

• Removed feature flag for unlock with passkey

• Removed feature flag for SCIM refactor

• Various under-the-hood improvements and minor bug fixes

Security notice: To resolve a bug with the local storage of API keys for the Bitwarden CLI, the next Bitwarden server release following this one will automatically rotate the personal API keys for users of the Bitwarden CLI. If you use the Bitwarden CLI for any automated workflows, update those workflows with your new API keys immediately following that release in order to maintain continuity.

Overview

• Removed feature flag for vault items archive
• Removed feature flag for default saving location when organization data ownership policy is enabled
• Removed feature flag for hiding alternate login methods when SSO is required
• Removed feature flag for several UX improvements
• Removed feature flag for provider initialization refactor
• Added support for deeplink redirect with https schema
• Various under-the-hood improvements and minor bug fixes

What's Changed

:shipit: Feature Development

• [PM-31736] User-friendly cookie vendor error message by @dereknance in https://github.com/bitwarden/server/pull/7270
• [PM-33972] Remove pm-26140-marketing-initiated-premium-flow feature flag by @trmartin4 in https://github.com/bitwarden/server/pull/7275
• [PM-32783] Add electron-storage-cache flag by @dani-garcia in https://github.com/bitwarden/server/pull/7286
• [PM-33890] Set up Stripe Subscription Schedule API operations by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7289
• feat(redirect): [PM-30810] Https Redirection for Cloud Users by @Patrick-Pimentel-Bitwarden in https://github.com/bitwarden/server/pull/6852
• [PM-22110] Remove pm-22110-disable-alternate-login-methods feature flag by @trmartin4 in https://github.com/bitwarden/server/pull/7274
• [PM-22435] chore: remove create default collections ff ref by @vincentsalucci in https://github.com/bitwarden/server/pull/7298
• [PM-33086/7] Remove the feature flag RefactorOrgAcceptInit by @r-tome in https://github.com/bitwarden/server/pull/7287
• [PM-28420] Remove feature flag by @BTreston in https://github.com/bitwarden/server/pull/7282
• [PM-33087] Remove RefactorOrgAcceptInit feature flag by @r-tome in https://github.com/bitwarden/server/pull/7325
• [PM-15489] 2fa account recovery by @kspearrin in https://github.com/bitwarden/server/pull/7139
• Auth/PM-34400 - Add desktop devices feature flag by @JaredSnider-Bitwarden in https://github.com/bitwarden/server/pull/7361
• [PM-32009] Add New Item Type Feature Flag by @nick-livefront in https://github.com/bitwarden/server/pull/7358
• [PM-34410] Attachment Upload Feature Flag by @nick-livefront in https://github.com/bitwarden/server/pull/7357
• Add feature flag for access intelligence trend chart by @Banrion in https://github.com/bitwarden/server/pull/7363
• [PM-33212] Finalize Org Data Ownership Policy Requirement by @sven-bitwarden in https://github.com/bitwarden/server/pull/7210
• [PM-332124] Finalize PolicyRequirement + 2FA Feature Flag by @sven-bitwarden in https://github.com/bitwarden/server/pull/7209
• [PM-19168] Remove Archive Feature Flag guards by @nick-livefront in https://github.com/bitwarden/server/pull/7371
• [PM-31885] Consolidate all Send policies to a single policy by @harr1424 in https://github.com/bitwarden/server/pull/7113
• [PM-31905] Remove m2 flag definition by @cturnbull-bitwarden in https://github.com/bitwarden/server/pull/7353
• [PM-28190] Add feature flag: pm-28190-cipher-sharing-ops-to-sdk Feature Flag by @nikwithak in https://github.com/bitwarden/server/pull/6887

🐛 Bug fixes

• [PM-33980] Only verify UseMyItems when claim exists by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7278
• [PM-32450] Allow SMTP TLS CRL status retrieval failures by @dereknance in https://github.com/bitwarden/server/pull/7271
• [PM-19143] Fix custom permissions not persisting via InviteOrganizationUsersCommand by @r-tome in https://github.com/bitwarden/server/pull/7285
• [PM-34049] Fix PoliciesController authorize attribute by @eliykat in https://github.com/bitwarden/server/pull/7303
• [PM-34048 ] Add limit item deletion to manage collection permission to Org view/edit by @vincentsalucci in https://github.com/bitwarden/server/pull/7296
• [PM-31822] Fix file Send size validation by @mcamirault in https://github.com/bitwarden/server/pull/7311
• [PM-34440] Fix cache duplicate-key error by @JimmyVo16 in https://github.com/bitwarden/server/pull/7360
• [PM-30185] Fix email fallback logic to ignore empty primary email by @BTreston in https://github.com/bitwarden/server/pull/7359
• [PM-32829] Cipher Key for unassigned ciphers by @nick-livefront in https://github.com/bitwarden/server/pull/7164
• [PM-32260] Fix missing device approval event logs for accepted users by @r-tome in https://github.com/bitwarden/server/pull/7247
• [PM-26581] Add missing model.type param by @BTreston in https://github.com/bitwarden/server/pull/7369
• [PM-29981] Add repo call to check if existing collection already has access setup by @BTreston in https://github.com/bitwarden/server/pull/7365
• [PM-34570] Expired or Cancelled Claimed User Throws Billing Exception on Subscription Cancel by @sbrown-livefront in https://github.com/bitwarden/server/pull/7382
• fix(change-email): [PM-34742] Change Email Sets Salt (#7422) by @Patrick-Pimentel-Bitwarden in https://github.com/bitwarden/server/pull/7423

⚙️ Maintenance

• [BRE-1004] Add GHCR Support to Build/Publish workflows by @vgrassia in https://github.com/bitwarden/server/pull/7263
• [PM-32066] - Add Org Ability View by @jrmccannon in https://github.com/bitwarden/server/pull/7194
• [PM-33895] Filter [BindNever] parameters from OpenAPI schema by @dani-garcia in https://github.com/bitwarden/server/pull/7257
• [deps]: Update docker/build-push-action action to v7 by @renovate[bot] in https://github.com/bitwarden/server/pull/7221
• [PM-32067] - Add Provider Ability View by @jrmccannon in https://github.com/bitwarden/server/pull/7200
• [PM-33041] Organization Ability: Refactor CipherResponseModel by @JimmyVo16 in https://github.com/bitwarden/server/pull/7202
• [PM-33043] Refactor PolicyService, CipherService, and TwoFactorAuthenticationValidator by @JimmyVo16 in https://github.com/bitwarden/server/pull/7214
• [PM-33042] Refactor EventService to remove deprecated GetOrganizationAbilitiesAsync by @JimmyVo16 in https://github.com/bitwarden/server/pull/7240
• [deps]: Update dorny/test-reporter action to v3 by @renovate[bot] in https://github.com/bitwarden/server/pull/7347
• [PM-34462] Improve role handling in provider controllers by @eliykat in https://github.com/bitwarden/server/pull/7372
• [PM-3836] Tools - Make Controllers, Services and API Models nullable by @harr1424 in https://github.com/bitwarden/server/pull/7212
• Add release yml to rc by @djsmith85 in https://github.com/bitwarden/server/pull/7466

📦 Dependency Updates

• [deps] Auth: Update Duende.IdentityServer to 7.4.6 by @renovate[bot] in https://github.com/bitwarden/server/pull/6323
• [PM-33499] Permissive base64 decoder by @dereknance in https://github.com/bitwarden/server/pull/7207
• [deps]: Update sass to v1.98.0 by @renovate[bot] in https://github.com/bitwarden/server/pull/7343
• [deps]: Update prettier to v3.8.1 by @renovate[bot] in https://github.com/bitwarden/server/pull/6702

🎨 Other

• PM-33964 - Fix silent switch defaults in Seeder with fail-fast throws by @theMickster in https://github.com/bitwarden/server/pull/7277
• [PM-33819] Enforce use of authorize attributes by @eliykat in https://github.com/bitwarden/server/pull/7242
• Arch/cipher scene by @MGibson1 in https://github.com/bitwarden/server/pull/7241
• [PM-33894] Schedule price increases by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7293
• [PM-34082] Seed passkeys by @MGibson1 in https://github.com/bitwarden/server/pull/7265
• Added RSA keypair pool + Caching to Seeder's RustSdk by @theMickster in https://github.com/bitwarden/server/pull/7288
• [PM-33896] Update Families organization on schedule transition by @cturnbull-bitwarden in https://github.com/bitwarden/server/pull/7300
• [PM- 30370] [PM-28827] Add Salt to Auth and KM DTOs by @ike-kottlowski in https://github.com/bitwarden/server/pull/7239
• [PM-32008] Add scope comment for SecurityTaskAuthorizationHandler by @nick-livefront in https://github.com/bitwarden/server/pull/7291
• [PM-21926] Add salt to Admin Console DTOs by @ike-kottlowski in https://github.com/bitwarden/server/pull/7231
• [PM-33043] Fix the failing test. by @JimmyVo16 in https://github.com/bitwarden/server/pull/7316
• [PM-33899] Release schedule on terminal subscription operations by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7305
• PM-34033 - Add individual user seeding to preset pipeline by @theMickster in https://github.com/bitwarden/server/pull/7304
• PM-34033 - Add user & org API key seeding and improve CLI output by @theMickster in https://github.com/bitwarden/server/pull/7324
• [PM-34039] [Defect] Discount Eligibility Endpoint Shows "New Users Only" Discounts by @sbrown-livefront in https://github.com/bitwarden/server/pull/7301
• Update to IHostBuilder style by @justindbaur in https://github.com/bitwarden/server/pull/6843
• [PM-32216] Create Stripe Checkout Session Endpoint by @sbrown-livefront in https://github.com/bitwarden/server/pull/7246
• [PM-33901] Remove unused UpdateTaxInformation by @cturnbull-bitwarden in https://github.com/bitwarden/server/pull/7320
• [PM-33901] Implement schedule-aware tax handling by @cturnbull-bitwarden in https://github.com/bitwarden/server/pull/7319
• PM-33964 - Unify CipherSeeder factories behind CipherSeed domain model. by @theMickster in https://github.com/bitwarden/server/pull/7330
• Clarify potential misleading comment by @theMickster in https://github.com/bitwarden/server/pull/7339
• Rename CLI endpoint to Preset instead of Seed by @theMickster in https://github.com/bitwarden/server/pull/7340
• Move IEventService to Dirt by @eliykat in https://github.com/bitwarden/server/pull/7272
• [PM-33898] Schedule-aware storage adjustments by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7350
• [PM-33891] Migrate Cancel and Reinstate Paths by @sbrown-livefront in https://github.com/bitwarden/server/pull/7331
• [PM-33405] Add OrganizationUserNotificationPolicy by @nick-livefront in https://github.com/bitwarden/server/pull/7250
• [PM-31902] Remove m2 flagged logic by @cturnbull-bitwarden in https://github.com/bitwarden/server/pull/7351
• [PM-34530] Display schedule discount on premium subscription page by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7375
• [PM-33897] Schedule Aware Cancellation and Reinstatement by @sbrown-livefront in https://github.com/bitwarden/server/pull/7374
• [PM-34530] Fix schedule discount scope on premium subscription page by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7378
• [PM-29956] Add logging to sponsorship redemption flow by @cturnbull-bitwarden in https://github.com/bitwarden/server/pull/7381
• [pm-34486] require basic auth on seeder api endpoints by @MGibson1 in https://github.com/bitwarden/server/pull/7368
• [PM-34582] Include schedule discount in premium tax estimate by @cturnbull-bitwarden in https://github.com/bitwarden/server/pull/7385
• [PM-33788] EF Emergency Access Query Updates by @enmande in https://github.com/bitwarden/server/pull/7297
• [PM-34623] Fix stale discount display after Stripe deletion by @amorask-bitwarden in https://github.com/bitwarden/server/pull/7391

Full Changelog: https://github.com/bitwarden/server/compare/v2026.3.2...v2026.4.0