dani-garcia/vaultwarden

← Alle Releases
1.36.0 vor 2 Monaten BlackDex BlackDex Auf GitHub ansehen

Security Fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.
- SSO Login CSRF
GHSA-pfp2-jhgq-6hg5
GHSA-w6h6-8r66-hcv7
- User/Organization Enumeration
GHSA-hxqh-ff5p-wfr3
- SSO existing-user binding
GHSA-j4j8-gpvj-7fqr
GHSA-6x5c-84vm-5j56
- SSRF via Icon Endpoint
GHSA-72vh-x5jq-m82g
- Some crate's updated and other minor security enhancements

These are private for now, pending CVE assignment.

Notes

  • Archiving of items is available
    https://bitwarden.com/blog/keep-your-vault-tidy-with-item-archiving/
    https://bitwarden.com/nl-nl/help/managing-items/#archive
  • Web Vault updated to v2026.4.1

What's Changed

  • SSO fallback to UserInfo preferred_username by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/7128
  • Dummy identifier need to pass for a guid by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/7154
  • add new /identity/accounts/prelogin/password by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/7156
  • Add DuckDuckGo browser device type by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/7147
  • Apply duration_suboptimal_units lint findings by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/7144
  • Apply ref_option lint findings by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/7143
  • Fix hardcoded sso identifier by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/7157
  • Update crates and fix a nightly lint by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7161
  • Fix Host/IP resolving by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7162
  • Several SSO Fixes by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7163
  • Add support for archiving items by @matt-aaron in https://github.com/dani-garcia/vaultwarden/pull/6916
  • Fix favicon fetching to check all icon links instead of just the first one by @Shocker in https://github.com/dani-garcia/vaultwarden/pull/6880
  • Fix merge conflict by @dani-garcia in https://github.com/dani-garcia/vaultwarden/pull/7164
  • Replace organization_uuid unwrap with proper error handling by @xjohnyknox in https://github.com/dani-garcia/vaultwarden/pull/6936
  • fix: return Err instead of panic on unknown cipher atype in to_json() by @mango766 in https://github.com/dani-garcia/vaultwarden/pull/7068
  • Allow SQLite to be linked against dynamically by @ISSOtm in https://github.com/dani-garcia/vaultwarden/pull/7057
  • Update crates and web-vault by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7171
  • Update hickory by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7175

New Contributors

  • @matt-aaron made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6916
  • @Shocker made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6880
  • @xjohnyknox made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6936
  • @mango766 made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/7068
  • @ISSOtm made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/7057

Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.35.8...1.36.0

You can discuss this release here https://github.com/dani-garcia/vaultwarden/discussions/7177