VaultWarden logo

VaultWarden

Password manager with Bitwarden compatibility

Alternative to: bitwarden, 1password, lastpass, keepass, keeper


About Versions (83)

1.36.0

2026-05-03

Release 1.36.0 mitigates multiple security advisories (SSO CSRF/enumeration, SSO binding, SSRF), adds item archiving and a new prelogin password endpoint, and updates crates plus Web Vault to 2026.4.1.

1.35.8

2026-04-25

Vaultwarden 1.35.8 includes fixes for master password policy auth, recovery codes, and invalid refresh tokens, plus updates to Rust/crates/CI and DNS, plus web-vault and crates updates.

1.35.7

2026-04-13

Vaultwarden 1.35.7 fixes Android 2FA support (contributed by @BlackDex).

1.35.6

2026-04-12

Fixes for MFA Remember and Recovery Tokens not being accepted; restores support for Two Factor Remember Tokens, includes MFA Remember fix by BlackDex.

1.35.5

2026-04-12

This release patches three security advisories, updates admin templates, enforces 2FA remember tokens to 30 days, and adds numerous feature flags and fixes (Safari switch, WebAuthn origins, SSO cache, API login fixes, etc.).

1.35.4

2026-02-23

Security fixes address three advisories (data access, manager-level collection modification) and the release includes Rust/crates updates, hidden 2FA token, invite link fixes, organization tweaks, plus a new contributor (proofofcopilot).

1.35.3

2026-02-10

Security fixes include GHSA-h265-g7rm-h337; user API key login fix; webauthn email; hide password hints; 2FA with auth requests; crates/web-vault updates; diagnostics tooltips; empty AccountKeys; purge error message; misc updates.

1.35.2

2026-01-09

Fixes include web-vault org creation, 204 No Content response, Android MasterPasswordHash support; improved SSO callback; and web-vault version check/update.

1.35.1

2025-12-30

Fix logout issue after upgrade by adjusting refresh token parsing, update web vault to 2025.12.1, restore alpine tag in 1.35.1, update lockfile, apply misc changes, and retry old refresh token if JWT decode fails.

1.35.0

2025-12-27

Adds OpenID Connect SSO support, updates web vault to 2025.12.0, enables mobile app compatibility for 2026.1.0+, and marks Vaultwarden's first immutable release with release attestation.

1.34.3

2025-07-30

Fix MySQL/MariaDB connection issue on Alpine by restoring MariaDB Connector/C v3.4.5; crates update triggers rebuild and signup link hiding fix.

1.34.2

2025-07-27

Vaultwarden 1.35.0: web vault updated to 2025.7.0 with experimental S3/OpenDAL backend (s3 feature); plus UI, policy, admin, and compatibility fixes.

1.34.1

2025-05-26

Fixes an admin diagnostics crash (contributed by @BlackDex) in the 1.34.0→1.34.1 update.

1.34.0

2025-05-26

Vaultwarden 1.34.0 updates web-vault to 2025.5.0, adds a new email-verified registration flow, and introduces feature flags for mutual TLS, attachment export, and AnonAddy/SimpleLogin self-host, plus Rust upgrades and assorted fixes.

1.33.2

2025-02-09

Security and dependency updates, including CVE-2025-24898 fix; new bulk-access endpoint for collections; desktop icon redirect fix; and showing assigned collections on member edit.

1.33.1

2025-02-03

Fixes for desktop icons, invites, Duo fields, manager rights, and mobile sync; adds OrgMemberHeaders access for invited members, new event types, passwordRevisionDate fix, broader collection creation rights for managers, and Rust 1.84.1 update (new contributors welcome).

1.33.0

2025-01-25

This release patches three security advisories, updates web-vault to 2025.1.1, adds partial manager role for collections, introduces artifact attestations for OCI/images, and includes multiple feature updates and fixes.

1.32.7

2024-12-20

Security fix for CVE affecting ORG_GROUPS_ENABLED; release also masks smtp_img_src, includes refactoring and security fixes, enables adding connect-src entries, and updates fern.

1.32.6

2024-12-10

Release fixes push, member access edits, and native sync issues; updates Rust crates and Alpine 3.21; backend admin tweaks; new contributor chuangjinglu. See full changelog.

1.32.5

2024-11-18

Security fixes addressing CVE reports; adds experimental SSH-key vault storage (Bitwarden Desktop 2024.12+ required) via feature flag, plus numerous auth/password hint/import fixes and dynamic CSS support.

1.32.4

2024-11-10

Security fixes addressing CVEs; update recommended. Notable: improved mobile app compatibility with cleaner datetime formatting; updated emergency access invite email template; README updated.

1.32.3

2024-10-27

Org invite URL no longer HTML-encoded; SMTP QUIT handling fixed; collection management fixed in Password Manager; plus Rust 1.82.0, extension-refresh flag, and invite UI tweaks.

1.32.2

2024-10-13

This release fixes collection management for managers, resolves Windows compilation issues, includes updates and collection management fixes, and corrects --version behavior when no config is present.

1.32.1

2024-10-03

Fixed native mobile sync/login, added CLI to back up SQLite DB, updated email templates for invites and 2FA/login, and included numerous fixes and updates across web-vault, admin pages, migrations, and security.

1.32.0

2024-08-11

Security fixes for CVE-2024-39924/39925/39926; update web-vault to 2024.6.2, rollback of password reset enrollment, plus numerous fixes and improvements across login, MFA, note size, Dockerfile, Rust crates, and admin UI.

1.31.0

2024-07-08

This release adds beta native mobile apps, drops WebSocket on port 3012, updates web vault to 2024.5.1, and switches EU push endpoint to api.bitwarden.eu, plus numerous fixes and improvements.

1.30.5

2024-03-02

Fix: Web API call issue with jQuery 3.7.1; new contributor @calvin-li-developer (first contribution).

1.30.4

2024-03-02

WebSockets are now integrated into the HTTP server; the old 3012 setup is deprecated—migrate per the wiki—and the release includes crates, Kubernetes detection, updated GHA workflows, Rust/web-vault, codegen-units, env template fixes, and a Python script, plus a new contributor.

1.30.3

2024-02-01

Minor release fixing push notification device registration and .env healthcheck issues; WebSockets now integrated into the main HTTP server, deprecating the 3012-based setup and simplifying proxies per new wiki guidance.

1.30.2

2024-01-30

WebSockets live sync is now served by the main HTTP server (no separate 3012 rule); migrate to the new setup, as the old port 3012 will be deprecated and removed in the next release.

1.30.1

2023-11-19

Minor release fixes Login with device, restores alpine docker tag, integrates WebSocket live sync into the main HTTP server and deprecates the 3012 proxy setup; see the wiki for migration guidance and the full changelog.

1.30.0

2023-11-05

Vaultwarden now serves WebSockets from the main HTTP server (no 3012 rule needed); adds passkey support and web vault 2023.10.0, plus various bug fixes and migration guidance.

1.29.2

2023-08-31

Minor release fixes login flow and removes forced master password prompt, LDAP import status, adds login with device, updates images and Rust, optimizes favicon, adds decryption options, new secretsmanager plan, enables auth header for WebSockets, and admin UI improvements.

1.29.1

2023-07-26

Minor 1.29.1 release; fixes Org API Key generation on PostgreSQL, external_id issues; adds forwardemail support; removes debug code during attachment download.

1.29.0

2023-07-09

Vaultwarden 1.29.0 adds WebSocket over HTTP port (3012 still supported), mobile push, Web Vault 2023.5.0, Directory Connector v2022.11.0, passkeys support, plus numerous fixes and dependency updates.

1.28.1

2023-04-02

1.28.0

2023-03-26

Vaultwarden is now AGPLv3 licensed, adds Argon2 KDF for clients and admin tokens, and offers beta alternative registries (GHCR and Quay), alongside numerous fixes and improvements.

1.27.0

2022-12-24

Adds organization-wide event logs and beta group support, plus a Web Vault update and numerous bugfixes and improvements.

1.26.0

2022-10-14

Vaultwarden 1.26.0 adds web vault v2022.10.0, numerous fixes (uploads, 404 catcher, login errors, org revoke, export), API v2 support, CSP tweaks, build updates, improved JWT messages, CreationDate in cipher JSON, and new contributors.

1.25.2

2022-07-27

Migrates to the vaultwarden image; patches to prevent corrupted attachments by returning errors; fixes persistent volume checks, CSP/icon redirects, and updates the CI build workflow.

1.25.1

2022-07-16

Migrated to vaultwarden image; updated web vault to 2022.6.2, added TMP_FOLDER and password_hints_allowed, persistent volume checks, Firefox CSP fixes, identicon fixes, websocket upgrade to tungstenite, and OpenSSL 111.22.0 with assorted fixes.

1.25.0

2022-05-23

Migration urged: switch from bitwardenrs/server to vaultwarden; release adds web vault 2.28.1, Rocket 0.5, async updates, new API endpoints and env path customization, admin login autofocus, CVE fixes, performance/sync improvements, and Rust upgrade.

1.24.0

2022-01-30

Migrate to the vaultwarden image; adds external icon support with redirect options, API keys, user/admin login rate limits, Permissions-Policy, caching Expires header, longer email tokens, a Rust CVE fix, and various bug fixes/domain sync.

1.23.1

2021-12-14

Migrates from bitwardenrs/server to vaultwarden image; adds email alerts for incomplete 2FA, fixes read_only/hide_passwords conflict, fixes encrypted key after emergency access reject, PostgreSQL migration, macro optimizations, enables trust-dns, updates web vault to 2.25.0.

1.23.0

2021-10-20

Migrates from bitwardenrs/server to vaultwarden; adds emergency access, single-organization policy, org bulk user actions; fixes webauthn origin, email caps, import ownership; updates web vault, tzdata, icon fetch, deps; docker builds via GitHub Actions; /alive now checks DB.

1.22.2

2021-07-25

Migrate from bitwardenrs/server* to vaultwarden; deprecated after 1.23.0. Highlights: web vault 2.

1.22.1

2021-06-29

Migrate to the vaultwarden image from bitwardenrs/server* as old images are deprecated and stop updates after 1.23.0; Alpine builds have been fixed.

1.22.0

2021-06-28

Migrate to vaultwarden image; deprecated bitwardenrs images after 1.23.0. New: sends_allowed, hide sender email, send policy, password reprompt, new attachment API with tokenized downloads, webauthn, admin shows overridden vars, updated deps/openssl RSA keys, web vault no T&C.

1.21.0

2021-04-30

Renamed project to vaultwarden; docker image migration required; git branch renamed to main; new features: auto-delete trash after X days with configurable purge schedule; improved icon detection; admin page version checks and SQLite backup.

1.20.0

2021-03-28

Adds Send functionality, upgrades Web Vault to 2.19.0, fixes CORS, enhances diagnostics page with more info, and updates dependencies.

1.19.0

2021-02-06

Release introduces enhanced admin UI (diagnostics, sort users by date, modify user types, delete organizations), experimental LDAP import, Personal Ownership policy, improved Docker SIGTERM handling, web vault 2.18.1, multi-arch builds with buildx and OpenContainers labels, and synced global domains.

1.18.0

2020-12-28

1.17.0

2020-10-10

Adds a single image with SQLite/MySQL/PostgreSQL support across ARM/AMD64, including Alpine variants; improved DB connection retries, session/item/admin fixes, multi-SMTP auth, per-user favorites, web vault update, and an optional vendored_openssl feature.

1.16.3

2020-08-08

Fixed building issues for MySQL/PostgreSQL releases; added user-restricted organization creation; synchronized global_domains.json with upstream.

1.16.2

2020-08-06

Fixed vault unlock issue in the desktop client; re-added arm32v6 tag for ARMv6 Docker compatibility; and fixed websocket notifications when sending an item to trash.

1.16.1

2020-07-26

Log timestamps now include milliseconds by default with LOG_TIMESTAMP_FORMAT option; restored arm32v6 tag for docker images due to arch detection; release uses docker multiarch images with migration guidance.

1.16.0

2020-07-21

Implemented Docker multiarch support; images now auto-detect architecture with unified tags (no arch-specific tags), plus improvements to startup, password masking, and timezone-aware email notifications.

1.15.1

2020-06-07

1.15.0

2020-06-02

Urgent required update for newer clients: enables soft deletion, redesigned multi-page admin with user verification icons, diagnostics page; web vault 2.14; logs include IP for TOTP failures to aid fail2ban; whitelist fixes; fixed PostgreSQL note deletion; updated deps.

1.14.2

2020-04-11

Bug fixes for mobile sync errors and websockets ID, web vault 2.13.2, improved Docker health check with subdirectory support, allow BWRS_VERSION env var to set build version, plus dependency updates and other bug fixes.

1.14.1

2020-03-21

Adds organization policies and cipher cloning, updates web vault to 2.13, relaxes SMTP login quoting/casing, updates dependencies, makes panics loggable, and fixes errors when importing into orgs or accepting invites.

1.14

2020-03-13

Adds subpath support via DOMAIN, per-user/org attachment limits, U2F updates, SMTP test, docker-based web vault, boolean config handling, fix for two-factor/Postgres, email change, punycode domains, icon caching, invite org name option, admin invites, and dependency updates.

1.13.1

2020-01-05

Introduces filtered, collapsed logs with debug/trace levels; fixes cipher-page huge-file crash; adds IP_HEADER (default X-Client-IP); prints server time on TOTP failure; guards websockets against panics; adds admin logout, U2F key delete endpoint, and dependency upgrades.

1.13.0

2019-11-30

Adds email verification with SIGNUPS_VERIFY toggle, welcome and confirmation emails (change email and account deletion), DataURL favicon support, and dependency updates.

1.12.0

2019-11-20

Improved HIBP error with link; allow 1.5-min TOTP drift (disable via AUTHENTICATOR_DISABLE_TIME_DRIFT); cache domain icon blacklist; generate recovery codes for email/Duo 2FA; remove MySQL libs from SQLite; SMTP timeout 15s; Podman-ready images; domain whitelist signups; fix web vault twofactorauth.org; deps updated.

1.11.0

2019-10-08

Migration guidance to bitwardenrs/server; PostgreSQL support (experimental), icon blacklist non-global IPs, SQLite binary in images, admin pages offline, CORS, healthcheck, email 2FA, and web vault 2.12.0.

1.10.0

2019-08-27

Adds MySQL support (with migration steps), SQLite backup, HIBP v3 with paid key, optional SMTP authentication, admin option to remove 2FA, login-on-new-device alerts, web vault 2.11.0, icon-fetch proxy, and general bug fixes. Migrate to bitwardenrs/server.

1.9.1

2019-06-01

Fixed broken U2F in Chrome 74+, added images to email, and updated dependencies.

1.9.0

2019-04-27

Release adds Duo 2FA (global or per-user), web vault 2.10.0, LOG_LEVEL for logging, syslog support via USE_SYSLOG, DATA_FOLDER now influences CONFIG_FILE, improved Admin API endpoints, plus other fixes.

1.8.0

2019-03-23

Admin panel now hides secrets by default, shows version, and displays read-only settings; adds force-resync, multi-user U2F with names, HTML email version, vault 2.9.0, constant-time password/tokens, new config options, and general dependency fixes.

1.7.0

2019-02-08

Adds admin-configurable JSON settings, email templating with Handlebars (reload option), non-upstream icon downloader with disable option, enhanced admin panel badges and session deauth, recovery code for YubiKey, env loading restricted to CWD, a Feature-Policy header, plus fixes.

1.6.1

2019-01-12

Minor fix release: enables Yubikey support on AArch64, fixes errors editing cipher with attachments and hiding cipher when deleting attachments, and adds an unofficial server warning.

1.6.0

2019-01-10

Added new /admin panel (requires ADMIN_TOKEN; admin_email removed), introduced email invites, web vault v2.8.0, fixed AArch64 build (disables Yubikey), TTLs for icon cache, improved error handling, bug fixes; wiki launched for documentation.

1.5.0

2018-12-17

Revamped logging with file/syslog options (disable via EXTENDED_LOGGING); updated web vault to 2.7.1; added key rotation and per-attachment keys; added Yubico support; Rocket web server 0.4; fixes for logout and mobile 2FA crashes.

1.4.0

2018-11-14

Websockets disabled by default (enable with WEBSOCKET_ENABLED=true; see README), web vault updated to 2.4.0, sync now avoids sending equivalent domains when unnecessary, plus assorted bug fixes and docs updates.

1.3.0

2018-10-13

Adds a simple admin panel for inviting/deleting users as an organization, a new WEBSOCKET_ADDRESS config option, Web Vault Docker updated to 2.4.0 with an aarch64 Dockerfile, dependency updates, and general bug fixes.

1.2.0

2018-09-23

Adds partial WebSocket notifications, fixes OpenSSL 1.1.1 compile error, returns default prelogin values when user missing, updates docker web vault to 2.3.0, changes client KDF iterations, and bumps dependencies.

1.1.0

2018-09-13

Major release adds web password hints display (with SMTP off), SMTP for hints, new musl/ARMv7 Docker images, Travis CI, KDF prelogin/notification, failed login IP/username, password history, web-vault 2.2, and cipher import for organizations.

1.0.0

2018-08-21

Release includes Web Vault updated to 2.1.1, updated dependencies, implementation of share-selected ciphers, and revised user revision date on changes to improve sync reliability.

0.13.0

2018-08-21

Adds a password hint feature, fixes the user revision date, and improves documentation.

0.12.0

2018-07-31

Adds missing attachment APIs and enables SQLite to run in WAL journal mode for improved concurrency.

0.11.0

2018-07-18

Hide organization data from unconfirmed users, update Arch package links, set Rocket default workers to 10 for better performance, and return 404 when a web vault file is missing.

0.10.0

2018-07-13

Implemented U2F authentication, enabling hardware security key-based user logins.