1.36.0
Security relevant
Security fixes
- SSO Login CSRF — GHSA-pfp2-jhgq-6hg5, GHSA-w6h6-8r66-hcv7
- User/Organization Enumeration — GHSA-hxqh-ff5p-wfr3
- SSO existing-user binding — GHSA-j4j8-gpvj-7fqr, GHSA-6x5c-84vm-5j56
Notable features
- Archiving of items is now available
- Web Vault updated to v2026.4.1
- Add DuckDuckGo browser device type
Full changelog
Security Fixes
This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.
- SSO Login CSRF
GHSA-pfp2-jhgq-6hg5
GHSA-w6h6-8r66-hcv7 - User/Organization Enumeration
GHSA-hxqh-ff5p-wfr3 - SSO existing-user binding
GHSA-j4j8-gpvj-7fqr
GHSA-6x5c-84vm-5j56 - SSRF via Icon Endpoint
GHSA-72vh-x5jq-m82g - Some crate's updated and other minor security enhancements
These are private for now, pending CVE assignment.
Notes
- Archiving of items is available
https://bitwarden.com/blog/keep-your-vault-tidy-with-item-archiving/
https://bitwarden.com/nl-nl/help/managing-items/#archive - Web Vault updated to v2026.4.1
What's Changed
- SSO fallback to UserInfo preferred_username by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/7128
- Dummy identifier need to pass for a guid by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/7154
- add new /identity/accounts/prelogin/password by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/7156
- Add DuckDuckGo browser device type by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/7147
- Apply
duration_suboptimal_unitslint findings by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/7144 - Apply
ref_optionlint findings by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/7143 - Fix hardcoded sso identifier by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/7157
- Update crates and fix a nightly lint by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7161
- Fix Host/IP resolving by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7162
- Several SSO Fixes by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7163
- Add support for archiving items by @matt-aaron in https://github.com/dani-garcia/vaultwarden/pull/6916
- Fix favicon fetching to check all icon links instead of just the first one by @Shocker in https://github.com/dani-garcia/vaultwarden/pull/6880
- Fix merge conflict by @dani-garcia in https://github.com/dani-garcia/vaultwarden/pull/7164
- Replace organization_uuid unwrap with proper error handling by @xjohnyknox in https://github.com/dani-garcia/vaultwarden/pull/6936
- fix: return Err instead of panic on unknown cipher atype in to_json() by @mango766 in https://github.com/dani-garcia/vaultwarden/pull/7068
- Allow SQLite to be linked against dynamically by @ISSOtm in https://github.com/dani-garcia/vaultwarden/pull/7057
- Update crates and web-vault by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7171
- Update hickory by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7175
New Contributors
- @matt-aaron made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6916
- @Shocker made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6880
- @xjohnyknox made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6936
- @mango766 made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/7068
- @ISSOtm made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/7057
Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.35.8...1.36.0
You can discuss this release here https://github.com/dani-garcia/vaultwarden/discussions/7177