Security Fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.

• GHSA-937x-3j8m-7w7p Unconfirmed Owner Can Purge Entire Organization Vault.
• GHSA-569v-845w-g82p Cross-Org Group Binding Enables Unauthorized Read And Write Access Into Another Organization
• GHSA-6j4w-g4jh-xjfx Refresh tokens not invalidated on security stamp rotation

These are private for now, pending CVE assignment.

Notes

• The admin templates have changed, please update them if you override these via templates.
• Two Factor Remember Tokens are now valid for max 30 days. Old tokens are invalid directly after upgrading.

What’s Changed

• apply policies only to confirmed members by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6892
• Feat(config): add feature flag for Safari account switching by @DerPlayer2001 in https://github.com/dani-garcia/vaultwarden/pull/6891
• fix: add ForcePasswordReset to api key login by @montdidier in https://github.com/dani-garcia/vaultwarden/pull/6904
• Add Webauthn related origins flag to known flags. by @pasarenicu in https://github.com/dani-garcia/vaultwarden/pull/6900
• Add 30s cache to SSO exchange_refresh_token by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6866
• Add cxp-import-mobile and cxp-export-mobile: feature flags on mobile by @phoeagon in https://github.com/dani-garcia/vaultwarden/pull/6853
• Misc updates and fixes by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6910
• Support new desktop origin on CORS by @dani-garcia in https://github.com/dani-garcia/vaultwarden/pull/6920
• Fix checkout action version by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/6921
• Fix apikey login by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6922
• Fix email header base64 padding by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6961
• Update Feature Flags by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6981
• Update crates and GHA by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6980
• Use protected CI environment by @dani-garcia in https://github.com/dani-garcia/vaultwarden/pull/7004
• Fix 2FA Remember to actually be 30 days by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6929
• Misc Updates by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7027
• Switch to attest action by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/7017
• Rotate refresh-tokens on sstamp reset by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7031
• Misc org fixes by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7032
• Fix empty string FolderId by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7048
• Disable deployments for release env by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/7033
• Fix Send icons by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7051
• prevent managers from creating collections by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6890
• Change SQLite backup to use VACUUM INTO query by @getaaron in https://github.com/dani-garcia/vaultwarden/pull/6989
• Handle SIGTERM and SIGQUIT shutdown signals. by @0x484558 in https://github.com/dani-garcia/vaultwarden/pull/7008
• Do not display unavailable 2FA options by @0x484558 in https://github.com/dani-garcia/vaultwarden/pull/7013
• Fix logout push identifiers and send logout before clearing devices by @qaz741wsd856 in https://github.com/dani-garcia/vaultwarden/pull/7047
• Fix windows build issues by @idontneedonetho in https://github.com/dani-garcia/vaultwarden/pull/7065
• Crate and GHA updates by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7081

New Contributors

• @DerPlayer2001 made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6891
• @montdidier made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6904
• @pasarenicu made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6900
• @phoeagon made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6853
• @getaaron made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6989
• @0x484558 made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/7008
• @qaz741wsd856 made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/7047
• @idontneedonetho made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/7065

Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.35.4…1.35.5