mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-04-25 09:15:58 +03:00
-
1.35.4 Stable
kerem released this
2026-02-24 00:23:41 +03:00 | 37 commits to main since this release📅 Originally published on GitHub: Mon, 23 Feb 2026 21:43:25 GMT
🏷️ Git tag created: Mon, 23 Feb 2026 21:23:41 GMTSecurity Fixes
This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.
- GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to access a cipher from a different user (fully encrypted) if they already know its internal UUID.
- GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with manager-level access within an organization to modify collections they can access, even if they do not have management permissions for them.
- GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with manager-level access within an organization to modify collections they are not assigned.
These are private for now, pending CVE assignment.
What's Changed
- Update Rust and Crates and GHA by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6843
- hide remember 2fa token by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6852
- fix(send_invite): invite links by @proofofcopilot in https://github.com/dani-garcia/vaultwarden/pull/6824
- Misc organization fixes by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6867
New Contributors
- @proofofcopilot made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6824
Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.35.3...1.35.4
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
1.35.3 Stable
2026-02-10 23:20:59 +03:00 | 41 commits to main since this release📅 Originally published on GitHub: Tue, 10 Feb 2026 20:37:03 GMT
🏷️ Git tag created: Tue, 10 Feb 2026 20:20:59 GMTSecurity Fixes
This release contains security fixes for the following advisory. We strongly advice to update as soon as possible if you believe it could affect you.
- GHSA-h265-g7rm-h337 (Publication in process, waiting for CVE assignment)
This vulnerability would allow an authenticated attacker that is part of an organization to access items from collections to which the attacker does not belong.
What's Changed
- Fix User API Key login by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6712
- use email instead of empty name for webauhn by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6733
- hide password hints via CSS by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6726
- fix email as 2fa with auth requests by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6736
- Update crates, web-vault, js, workflows by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6749
- refactor: improve tooltips in diagnostics page by @tessus in https://github.com/dani-garcia/vaultwarden/pull/6765
- Empty AccountKeys when no private key by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6761
- fix error message for purging auth requests by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6776
- Misc updates, crates, rust, js, gha, vault by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6799
- Update crates and web-vault by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6810
- Fix org-details issue by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6811
Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.35.2...1.35.3
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
- GHSA-h265-g7rm-h337 (Publication in process, waiting for CVE assignment)
-
1.35.2 Stable
2026-01-09 21:22:41 +03:00 | 52 commits to main since this release📅 Originally published on GitHub: Fri, 09 Jan 2026 18:37:04 GMT
🏷️ Git tag created: Fri, 09 Jan 2026 18:22:41 GMTNotable changes
Fixed an issue with the web-vault which prevent creating an organization.
What's Changed
- update web-vault to fix org creation by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6646
- return no content with status code 204 by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6665
- allow MasterPasswordHash for Android by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6673
- improve sso callback path by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6676
- Fix web-vault version check and update web-vault by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6686
Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.35.1...1.35.2
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
1.35.1 Stable
2025-12-30 00:55:47 +03:00 | 57 commits to main since this release📅 Originally published on GitHub: Tue, 30 Dec 2025 14:21:05 GMT
🏷️ Git tag created: Mon, 29 Dec 2025 21:55:47 GMTNotable changes
- Fixed issue with applications being logged out after upgrading due to changes to refresh token parsing
- Updated web vault to 2025.12.1
- Correctly publish
alpinetag, which was missing in 1.35.0
What's Changed
- Update lockfile by @dani-garcia in https://github.com/dani-garcia/vaultwarden/pull/6600
- Re-add
alpinetag by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/6626 - Misc updates by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6627
- Try old refresh token if we fail to decode jwt by @dani-garcia in https://github.com/dani-garcia/vaultwarden/pull/6629
Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.35.0...1.35.1
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
1.35.0 Stable
2025-12-28 01:53:01 +03:00 | 61 commits to main since this release📅 Originally published on GitHub: Sat, 27 Dec 2025 23:07:12 GMT
🏷️ Git tag created: Sat, 27 Dec 2025 22:53:01 GMTNotable changes
- Implemented support for SSO with OpenID Connect, https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect
- Updated web vault to 2025.12.0
- Added support for future mobile apps with versions 2026.1.0+
- This is the first vaultwarden release using immutable releases and release attestation!
What's Changed
- Fix multi delete slowdown by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6144
- Perform same checks when setting kdf by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6141
- SSO using OpenID Connect by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/3899
- Delete SSO.md by @dani-garcia in https://github.com/dani-garcia/vaultwarden/pull/6152
- Update webauthn-rs to 0.5.x by @zUnixorn in https://github.com/dani-garcia/vaultwarden/pull/5934
- a little cleanup after SSO merge by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6153
- Fix link to point to the wiki by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6157
- Fix Email 2FA for mobile apps by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/6156
- Update Rust to 1.89.0 by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/6150
- Fix several more multi select push issues by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6151
- Fix minor typo by @ncguk in https://github.com/dani-garcia/vaultwarden/pull/6165
- Update crates, fixes some yanked crates by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6167
- Fix WebauthN issue with Software Keys by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6168
- Fix Playwright test conf and update deps by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6176
- Misc updates by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6185
- fix typo in description of helo_name by @Flottegurke in https://github.com/dani-garcia/vaultwarden/pull/6194
- Fix Playwright by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6206
- Switch to GHA's concurrency control by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/6164
- Make database connection pool dynamic by @Samoth69 in https://github.com/dani-garcia/vaultwarden/pull/6166
- Re-add
ifcheck to release workflow by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/6227 - Fix Webauthn/Passkey 2FA migration/validation issues by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6190
- refactor(config): update template, add validation by @tessus in https://github.com/dani-garcia/vaultwarden/pull/6229
- Show SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION in admin by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6235
- Update crates, gha and web-vault by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6234
- Fix panic around sso_master_password_policy by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6233
- make webauthn more optional by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6160
- Fix 2fa recovery endpoint by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6240
- update trivy-action to v0.33.0 by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6248
- update web vault to v2025.9.1 and allow new policy by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6340
- prevent changing collections when hide_passwords is true by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6278
- Fix
sso_userdropped onUser::saveby @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6262 - Change OIDC dummy identifier by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6263
- add new billing warnings endpoint by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6369
- Add auth_request pending endpoint by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6368
- Fix Org identifier by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6364
- add mail address change warning for invited accounts by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6377
- add missing media-src directive by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6381
- add seat limit for the invite dialog by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6371
- [Playwright] Improvements around node by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6321
- Use Diesels MultiConnections Derive by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6279
- Improve protected actions by @dani-garcia in https://github.com/dani-garcia/vaultwarden/pull/6411
- Fix issue with key-rotation and emergency-access by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6421
- Optimizations and build speedup by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6339
- Use an older version of mariadb to prevent a panic by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6453
- Playwright against abitrary web-vault by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6380
- Fix KDF Change with new web-vault by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6458
- Fix: admin theme emoji alignment by @joepduin in https://github.com/dani-garcia/vaultwarden/pull/6459
- remove invalid emergency access dummy value by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6463
- Add
pm-25373-windows-biometrics-v2feature flag by @Ephemera42 in https://github.com/dani-garcia/vaultwarden/pull/6468 - Switch to multiple runners per arch by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/6472
- Fix icon redirect caching by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6487
- Fix around singleorg policy by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6247
- fix email as 2fa provider by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6473
- Update crates and Rust version by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6485
- Add option to prefer IPv6 resolving by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6494
- Some small admin js/css updates by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6501
- Update crates and workflows and some fixes by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6508
- Fixed a typo in the default TTL value by @k725 in https://github.com/dani-garcia/vaultwarden/pull/6528
- Iterate over tags on release by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6518
- Org.put_policy type not in body anymore by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6514
- Android want response property in camelCase by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6513
- Fix admin invite with SSO by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6498
- Improve sso auth flow by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/6205
- fix email as 2fa for sso by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6495
- Fix release workflow by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6532
- Further fixes for the release workflow by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/6533
- add empty /api/tasks endpoint by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6557
- Revert to gzip compression by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/6566
- support UriMatchDefaults policy by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6570
- Add new accountKeys and masterPasswordUnlock fields by @dani-garcia in https://github.com/dani-garcia/vaultwarden/pull/6572
- Update crates and Rust by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6551
- Add UserDecryption on /sync too by @dani-garcia in https://github.com/dani-garcia/vaultwarden/pull/6574
- Update web-vault to v2025.12.0 by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6577
- Fix posting cipher with readonly collections by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6578
- Update crates by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6585
- Simplify binary extraction by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/6554
- Remove unnecessary output sharing between jobs by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/6555
- Add wrapped named variants to UserDecryptionOptions by @dani-garcia in https://github.com/dani-garcia/vaultwarden/pull/6598
New Contributors
- @zUnixorn made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/5934
- @ncguk made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6165
- @Flottegurke made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6194
- @Samoth69 made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6166
- @joepduin made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6459
- @k725 made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6528
Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.34.3...1.35.0
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads