VaultWarden

This release fixes MySQL/MariaDB connection issues on Alpine by reverting to MariaDB Connector/C v3.4.5, updates crates to address the MySQL issue, and fixes signup link hiding.

Vaultwarden 1.35.0 updates the web vault to 2025.7.0 and adds experimental OpenDAL S3 backend support (s3 feature flag), plus assorted UI, admin, and policy fixes.

Fixes an admin diagnostics crash in the 1.34.1 release (contributed by @BlackDex).

Vaultwarden 1.34.0 includes web-vault 2025.5.0, a new email-verified registration flow, and feature flags for mutual TLS, attachment export, and AnonAddy/SimpleLogin self-host, plus numerous fixes.

Vaultwarden 1.33.2 brings security and crate updates (fix CVE-2025-24898), a new bulk-access endpoint for collections, a desktop icon redirect fix, and showing assigned collections on member edit.

This release fixes desktop icon display, invites reliability, Duo field names, password revision date, and manager/collection permissions; adds new event types, enables OrgMemberHeaders access for invited members, and updates Rust to 1.84.1.

Release 1.33.0 adds web-vault 2025.1.1 with partial manager role for collections, signed OCI artifacts, various fixes, a new TOTP delete endpoint, a feature flag, and security advisories GHSA fixes.

Security fix for CVE affecting ORG_GROUPS_ENABLED; release adds masking of smtp_img_src, refactoring/optimizations, connect-src entries support, and switching to an updated fern.

Release 1.32.6 includes push and member-access fixes, native-client sync fix, Rust/crates and Alpine 3.21 updates, backend admin tweaks, plus first contribution from chuangjinglu.

Security fixes addressing CVEs; added SSH-key vault support (with feature flag) and SSH keys on desktop 2024.12+, plus numerous authrequest, password/hint fixes, dynamic CSS, and org import duplicate fixes.

Security fixes addressing CVEs; mobile app datetime precision tweaks; emergency access invite email template updated; README updated; upgrade from 1.32.3 to 1.32.4.

Fixes: HTML-encoded org invite URL; SMTP QUIT handling; Password Manager collection management; iOS field type int; hidden field behavior; Rust 1.82.0; extension-refresh flag; hide username on invites; docs for flag; crates/mail issues.

This release improves collection management for managers, fixes Windows compilation, addresses --version display without a config, and includes general updates.

This release fixes native mobile login sync, adds a SQLite backup CLI, and updates email templates for invites, 2FA incomplete logins, and new logins.

Security fixes for CVE-2024-39924/39925/39926, web-vault updated to 2024.6.2 with enrollment rollback, plus extensive improvements including MFA support, note size increase, Dockerfile optimizations, and Rust/toolchain updates.

Release 1.31.0 adds beta native mobile apps, removes WebSocket on port 3012, updates web vault to 2024.5.1, and includes numerous fixes, Rust/crate updates, plus the EU push API endpoint change.

Release 1.30.5 fixes the web API call for jQuery 3.7.1 and adds new contributor Calvin-li-developer (first contribution) via PR 4400.

WebSockets are now in the main HTTP server (simplifying proxies); the old 3012 server is deprecated—migrate now. Also includes crates/Rust updates, Kubernetes env detection, workflow tweaks, and codegen/resource changes.

Minor release fixing push notification device registration and Docker healthcheck; WebSockets now served by the main HTTP server, deprecating port 3012 setup—migrate per wiki.

WebSockets live-sync is now integrated into the main HTTP server, simplifying proxies; the old 3012 server is deprecated and will be removed—migrate to the new setup per the wiki.

Minor release fixes Login with device, restores alpine docker tag, and integrates WebSockets into the main HTTP server (deprecated 3012 setup; see wiki for new proxy examples); includes autofill-v2 disable, Protected Actions Check, and crates update.

WebSockets are now integrated into the main HTTP server; adds passkey support (extensions require v2023.10.0+), updates the web vault, fixes ARMv6 and mobile cipher issues, and deprecates the old 3012 setup with migration guidance.

Minor release fixes login issue requiring the master password and includes multiple fixes and improvements: env template fix, LDAP import, device login, web-vault/Rust bumps, favicon optimization, login response options, new secretsmanager plan, WebSocket auth header, and admin UI update.

Vaultwarden 1.29.1 fixes PostgreSQL Org API Key generation, resolves external_id issues, removes attachment download debug code, and adds forwardemail support.

Vaultwarden now serves WebSocket notifications on the default HTTP port (3012 kept for now), adds mobile push, updates Web Vault to v2023.5.0, supports Directory Connector v2022.11.0 and passkeys, plus numerous fixes and Rust crate updates.

This release decodes X-Request-Email as base64url, fixes password-reset mail abort, adds admin /users/<uuid>/invite/resend, always returns KdfMemory/KdfParallelism, fixes multiple websocket notifications, reverts setcap with Rust/crates updates, and welcomes Nikolaevn’s first contribution.

Vaultwarden is now AGPLv3 licensed; adds Argon2 KDF support for clients and admin tokens; and introduces beta alternative container registries (GHCR and Quay) along with numerous fixes.

Adds organization event logs and beta group support, plus numerous updates including web vault upgrade, Rust/deps boosts, and various fixes and export improvements.

Vaultwarden 1.26.0: web vault v2022.10.0, mobile upload fixes, send v2 API support, org user revoke, improved login errors, 404 catcher, CSP/dependency/Rust updates, build workflow, and new contributors.

Migrates from bitwardenrs/server to vaultwarden image; patch 1.25.2 fixes potential corrupted uploads, restores download/error behavior, and fixes persistent volume checks, CSP/icon redirects, plus updates CI build workflow.

Migrate from bitwardenrs/server to the vaultwarden image; update web vault to 2022.6.2, add password_hints_allowed, CSP/Firefox relay fixes, persistent volume checks, websocket crate swap, armv6 fix, and improved user JSON fields and deps.

Migrate from bitwardenrs/server to vaultwarden image; release adds web vault v2.28.1, Rocket 0.5 async, new /api/alive/now/version endpoints, autofocus admin login, custom .env path, CVE fixes, and various improvements.

Migrates from bitwardenrs to vaultwarden image; 1.24.0 adds external icon support with redirects, API keys, user/admin login rate limits, Permissions-Policy, Expires header caching, longer email tokens, Rust upgrade, various fixes and domain sync.

Migrate from bitwardenrs/server to vaultwarden image; this release adds email notifications for incomplete 2FA, fixes read_only/hide_passwords conflict, fixes encrypted key after emergency access reject, fixes PostgreSQL migration, optimizations, DNS/trust-dns updates, and updates web vault to 2.25.0.

Vaultwarden release: migrate from bitwardenrs images to vaultwarden; adds emergency access, single-organization policy, bulk user actions, fixes webauthn origin and email case, tzdata in Alpine, web vault 2.23.0, GitHub Actions builds, /alive DB check, dependencies updated.

Migrates from bitwardenrs/server to vaultwarden; web vault 2.21.1, enforce 2FA in organizations, protect send routes from path traversal, disable show_password_hint by default, disable WebAuthn user verification enforcement, fix

Migration note: switch from bitwardenrs/server* to vaultwarden image; old images deprecated and will stop updates after 1.23.0; also fixed Alpine builds.

Adds Send functionality; updates web vault to 2.19.0; fixes CORS issues; enhances diagnostics page with more info; updates dependencies.

Revamped admin UI with diagnostics, sorting, and org/user management; added Personal Ownership policy; improved Docker SIGTERM handling; experimental LDAP import via Directory Connector; web vault 2.18.1; Docker buildx and opencontainers labels; synced global domains.

One image supports SQLite, MySQL and PostgreSQL (AMD64 and ARM), adds DB connection retries, improved session invalidation, multi-SMTP, per-user item favorites, admin fixes, Alpine variants, and updated web vault.

Fixed build issues for MySQL and PostgreSQL releases; added user-restricted org creation with examples; synchronized global_domains.json with upstream.

Fixed vault unlock in the desktop client; re-added the arm32v6 tag for ARMv6 compatibility; fixed websocket notifications when trashing an item.

Logs now include millisecond timestamps by default with LOG_TIMESTAMP_FORMAT option; restored arm32v6 docker tag due to multiarch issues; uses docker multiarch images—see the wiki/1.16.0 release notes for migration guidance.

Docker multiarch support added; images now use unified tags (no arch-specific tags) with bitwardenrs/server:testing as the primary tag, plus latest/alpine variants and mysql/postgres database-specific tags.

Fixes: prevent attachment cloning errors with ciphers (attachments not cloned); correct version check when no commits since last release; add openssl extern crate to fix builds; admin page shows per-user attachment counts and per-organization user counts, and fixes DNS resolution.

Mandatory update for newer clients adding soft delete (trash), a redesigned multi-page admin with verified-email icon and counters

Addresses mobile sync error, updates web vault to 2.13.2, fixes websockets id, improves Docker health checks with subdirectory support, allows BWRS_VERSION env to set build version during cargo build, plus dependency updates and other bug fixes.

Adds org policies and cipher cloning support; updates web vault to 2.13; loosens SMTP login formatting; updates dependencies; makes panics loggable; and fixes import/invite errors within organizations.

Release notes: improved log filtering with debug/trace, crash fix for large cipher pages, configurable IP_HEADER (default X-Client-IP), show server time on TOTP fail, protect WebSocket server from panics, admin logout button, endpoint to delete U2F key, and dependency updates.

Adds email verification (optional SIGNUPS_VERIFY), welcome and confirmation emails (change email, account deletion), favicon DataURL parsing, and updated dependencies.

Migration note: move from mprasil/bitwarden to bitwardenrs/server; adds PostgreSQL support (feature flag), icon blacklist for non-global IPs, SQLite binary in SQLite images, admin scripts loaded locally, CORS, Docker healthcheck, email 2FA, and web vault 2.12.0.

Adds MySQL support (bitwardenrs/server-mysql; SQLite→MySQL migration steps), admin backup for SQLite, HaveIBeenPwned V3, admin 2FA removal, configurable SMTP auth, login-notify emails, icon proxy, web vault 2.11.0, and assorted bug fixes.

Fixed U2F in Chrome 74+; added images to emails; and updated dependencies.

Duo 2FA now available globally or per-user; web vault updated to 2.10.0; added LOG_LEVEL control; enable syslog with USE_SYSLOG=true; DATA_FOLDER now affects CONFIG_FILE; Admin API improvements and other fixes.

Secrets hidden by default; version shown; read-only settings; force user resync; multi U2F support; HTML emails; vault 2.9.0; constant-time checks for admin password and tokens; new config options; dependencies updated and bugs fixed.

Adds a config menu saving JSON (default data/config.json, configurable via CONFIG_FILE), email templating with handlebars (reload option and templates paths), improved icon downloader with disable toggle, admin panel enhancements, Feature-Policy header, YubiKey recovery code, and .env read from the current directory, plus various fixes.

Minor fix release: enables Yubikey support on AArch64; fixes errors editing cipher with attachments and hiding cipher when deleting attachments; adds unofficial server warning.

Adds new admin panel at /admin gated by ADMIN_TOKEN (admin_email removed); adds email invites; vault updated to v2.8.0; fixes AArch64 build (disables Yubikey); TTLs for icon cache; improved error handling and various bug fixes; wiki launched for Readme info.

Revamped logging with optional file/syslog support, updated web vault to 2.7.1, added key rotation and attachment keys, Yubico support, Rocket 0.4, plus fixes for logout and mobile 2FA crashes.

WebSockets are disabled by default and can be enabled with WEBSOCKET_ENABLED=true (requires extra setup); web vault updated to 2.4.0; sync now avoids sending equivalent domains when unnecessary; includes bug fixes and docs updates.

Released a simple admin panel for inviting/deleting users, added WEBSOCKET_ADDRESS config, updated docker web vault to 2.4.0, added an aarch64 Dockerfile, refreshed dependencies, and applied bug fixes.

Adds partial WebSocket notifications, fixes OpenSSL 1.1.1 compile error, returns default prelogin values for non-existent users, updates Docker Web Vault to 2.3.0, changes client KDF iterations, and bumps dependencies.

Displays password hints on web (SMTP optional with hints), adds SMTP integration for hints, new musl/ARMv7 docker images, Travis CI, KDF prelogin/notification, logs IP/username on failures, password history, web-vault 2.2, and cipher import in orgs.

Release includes web vault 2.1.1, updated dependencies, added share selected ciphers, and updated user revision date on changes to fix synchronization.

Adds a password hint feature, fixes the user revision date, and improves documentation.

Release notes: added missing attachment APIs and switched SQLite to WAL journal mode to improve concurrency.

Hide organization data from unconfirmed users, update Arch package links, set Rocket default workers to 10 for better performance, and return 404 when a web vault file is missing.

Adds U2F (FIDO) authentication to enable hardware security keys as a second factor for user logins.