VaultWarden
Password manager with Bitwarden compatibility
Alternative to: bitwarden, 1password, lastpass, keepass, keeper
About
Versions (82)
v1.36.0
2026-05-03Security Fixes
This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.
- SSO Login CSRF GHSA-pfp2-jhgq-6hg5 GHSA-w6h6-8r66-hcv7
- User/Organization Enumeration GHSA-hxqh-ff5p-wfr3
- SSO existing-user binding GHSA-j4j8-gpvj-7fqr GHSA-6x5c-84vm-5j56
- SSRF via Icon Endpoint GHSA-72vh-x5jq-m82g
- Some crate’s updated and other minor security enhancements
These are private for now, pending CVE assignment.
Notes
- Archiving of items is available https://bitwarden.com/blog/keep-your-vault-tidy-with-item-archiving/ https://bitwarden.com/nl-nl/help/managing-items/#archive
- Web Vault updated to v2026.4.1
What’s Changed
- SSO fallback to UserInfo preferred_username by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/7128
- Dummy identifier need to pass for a guid by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/7154
- add new /identity/accounts/prelogin/password by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/7156
- Add DuckDuckGo browser device type by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/7147
- Apply
duration_suboptimal_unitslint findings by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/7144 - Apply
ref_optionlint findings by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/7143 - Fix hardcoded sso identifier by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/7157
- Update crates and fix a nightly lint by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7161
- Fix Host/IP resolving by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7162
- Several SSO Fixes by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7163
- Add support for archiving items by @matt-aaron in https://github.com/dani-garcia/vaultwarden/pull/6916
- Fix favicon fetching to check all icon links instead of just the first one by @Shocker in https://github.com/dani-garcia/vaultwarden/pull/6880
- Fix merge conflict by @dani-garcia in https://github.com/dani-garcia/vaultwarden/pull/7164
- Replace organization_uuid unwrap with proper error handling by @xjohnyknox in https://github.com/dani-garcia/vaultwarden/pull/6936
- fix: return Err instead of panic on unknown cipher atype in to_json() by @mango766 in https://github.com/dani-garcia/vaultwarden/pull/7068
- Allow SQLite to be linked against dynamically by @ISSOtm in https://github.com/dani-garcia/vaultwarden/pull/7057
- Update crates and web-vault by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7171
- Update hickory by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/7175
New Contributors
- @matt-aaron made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6916
- @Shocker made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6880
- @xjohnyknox made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6936
- @mango766 made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/7068
- @ISSOtm made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/7057
Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.35.8…1.36.0
You can discuss this release here https://github.com/dani-garcia/vaultwarden/discussions/7177